# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 18.03.2020 22:18:30.175 Process: id = "1" image_name = "kinodomino.exe" filename = "c:\\users\\fd1hvy\\desktop\\kinodomino.exe" page_root = "0x18abc000" os_pid = "0x11e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x11dc [0074.897] LocalAlloc (uFlags=0x0, uBytes=0xa8) returned 0xa201f0 [0074.969] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x772d0000 [0074.984] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77970000 [0074.993] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x95fad0 | out: Wow64Process=0x95fad0) returned 1 [0075.001] IsDebuggerPresent () returned 0 [0075.002] CheckRemoteDebuggerPresent (in: hProcess=0xffffffff, pbDebuggerPresent=0x95f9ac | out: pbDebuggerPresent=0x95f9ac) returned 1 [0075.505] NtQueryInformationProcess (in: ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x1e, ProcessInformation=0x95f67c, ProcessInformationLength=0x8, ReturnLength=0x95fa7c | out: ProcessInformation=0x95f67c, ReturnLength=0x95fa7c) returned 0xc0000353 [0075.506] NtSetInformationThread (ThreadHandle=0xfffffffffffffffe, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0075.507] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x95fa8c, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x95fa8c, ResultLength=0x0) returned 0x0 [0075.507] NtQuerySystemInformation (in: SystemInformationClass=0xb, SystemInformation=0x95fa9c, Length=0x0, ResultLength=0x95fa84 | out: SystemInformation=0x95fa9c, ResultLength=0x95fa84*=0xa0e0) returned 0xc0000004 [0075.516] LocalAlloc (uFlags=0x0, uBytes=0x141c0) returned 0xa2e7d0 [0075.517] NtQuerySystemInformation (in: SystemInformationClass=0xb, SystemInformation=0xa2e7d0, Length=0x141c0, ResultLength=0x0 | out: SystemInformation=0xa2e7d0, ResultLength=0x0) returned 0x0 [0075.910] LocalFree (hMem=0xa2e7d0) returned 0x0 [0076.109] GetModuleFileNameW (in: hModule=0x10000, lpFilename=0x95f6c4, nSize=0xfe | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\kinodomino.exe")) returned 0x26 [0076.110] NtOpenFile (in: FileHandle=0x95f678, DesiredAccess=0x80100080, ObjectAttributes=0x95f640*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe", Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x95f668, ShareAccess=0x3, OpenOptions=0x60 | out: FileHandle=0x95f678*=0x1d0, IoStatusBlock=0x95f668*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0076.112] NtCreateSection (in: SectionHandle=0x95f674, DesiredAccess=0x4, ObjectAttributes=0x95f640*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x8000000, FileHandle=0x1d0 | out: SectionHandle=0x95f674*=0x1d4) returned 0x0 [0076.113] NtMapViewOfSection (in: SectionHandle=0x1d4, ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f668*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x95f97800000000, ViewSize=0x95f660*=0x0, InheritDisposition=0x100000000, AllocationType=0x0, AccessProtection=0x0 | out: BaseAddress=0x95f668*=0x0, SectionOffset=0x95f97800000000, ViewSize=0x95f660*=0x0) returned 0xc00000f6 [0076.113] NtClose (Handle=0x1d4) returned 0x0 [0076.114] NtClose (Handle=0x1d0) returned 0x0 [0076.114] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f67c*=0x20000, NumberOfBytesToProtect=0x95f674, NewAccessProtection=0x40, OldAccessProtection=0x95f9a4 | out: BaseAddress=0x95f67c*=0x20000, NumberOfBytesToProtect=0x95f674, OldAccessProtection=0x95f9a4*=0x20) returned 0x0 [0078.955] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f67c*=0x1a000, NumberOfBytesToProtect=0x95f674, NewAccessProtection=0x4, OldAccessProtection=0x95f9a4 | out: BaseAddress=0x95f67c*=0x1a000, NumberOfBytesToProtect=0x95f674, OldAccessProtection=0x95f9a4*=0x2) returned 0x0 [0078.956] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f67c*=0x45000, NumberOfBytesToProtect=0x95f674, NewAccessProtection=0x4, OldAccessProtection=0x95f9a4 | out: BaseAddress=0x95f67c*=0x45000, NumberOfBytesToProtect=0x95f674, OldAccessProtection=0x95f9a4*=0x80) returned 0x0 [0078.958] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x772d0000 [0078.971] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0078.974] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0078.996] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0078.997] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.002] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.008] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.014] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.015] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.016] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.019] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x756e0000 [0079.025] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x75760000 [0079.026] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x76ba0000 [0079.028] GetModuleHandleA (lpModuleName="WTSAPI32.dll") returned 0x742d0000 [0079.029] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x772d0000 [0079.074] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.074] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.075] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.075] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.096] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.121] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.123] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77970000 [0079.127] GetModuleHandleA (lpModuleName="USER32.dll") returned 0x750c0000 [0079.130] CloseHandle (hObject=0xdeadc0de) returned 0 [0079.494] VirtualQuery (in: lpAddress=0x43d604, lpBuffer=0x95e628, dwLength=0x1c | out: lpBuffer=0x95e628*(BaseAddress=0x43d000, AllocationBase=0x10000, AllocationProtect=0x80, RegionSize=0x17f000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0079.700] RtlUnwind (TargetFrame=0x95fb04, TargetIp=0x3d3fc, ExceptionRecord=0x0, ReturnValue=0x0) [0079.701] NtQueryVirtualMemory (in: ProcessHandle=0xffffffffffffffff, Address=0xa201f0, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x95f650, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0x95f650*(BaseAddress=0xa20000, AllocationBase=0x0, AllocationProtect=0xa10000, RegionSize=0x0, State=0x4, Protect=0xffff9302, Type=0x24000), ResultLength=0x0) returned 0x0 [0079.702] NtQueryVirtualMemory (in: ProcessHandle=0xffffffffffffffff, Address=0x5bf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x95f650, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0x95f650*(BaseAddress=0x5bf000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xffff9302, Type=0x1000), ResultLength=0x0) returned 0x0 [0080.731] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x95fa58, lpSystemAffinityMask=0x95fa98 | out: lpProcessAffinityMask=0x95fa58, lpSystemAffinityMask=0x95fa98) returned 1 [0081.367] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0081.367] Sleep (dwMilliseconds=0x0) [0081.370] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0081.370] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x2) returned 0x0 [0081.370] Sleep (dwMilliseconds=0x0) [0081.373] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0081.373] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x4) returned 0x0 [0081.373] Sleep (dwMilliseconds=0x0) [0081.377] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0081.377] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x8) returned 0x0 [0081.378] Sleep (dwMilliseconds=0x0) [0081.382] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0081.836] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x95e554 | out: lpSystemTimeAsFileTime=0x95e554*(dwLowDateTime=0x57198b44, dwHighDateTime=0x1d5fd73)) [0081.941] GetCurrentProcessId () returned 0x11e0 [0082.149] GetCurrentThreadId () returned 0x11dc [0082.246] GetTickCount () returned 0x1155dbc [0082.475] QueryPerformanceCounter (in: lpPerformanceCount=0x95e54c | out: lpPerformanceCount=0x95e54c*=17833295867) returned 1 [0083.298] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2730000 [0084.002] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0084.221] GetProcAddress (hModule=0x772d0000, lpProcName="FlsAlloc") returned 0x772e4ae0 [0084.222] GetProcAddress (hModule=0x772d0000, lpProcName="FlsGetValue") returned 0x772e4b20 [0084.222] GetProcAddress (hModule=0x772d0000, lpProcName="FlsSetValue") returned 0x772e4b40 [0084.222] GetProcAddress (hModule=0x772d0000, lpProcName="FlsFree") returned 0x772e4b00 [0084.931] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0085.508] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0086.193] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0086.193] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0086.194] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0086.194] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0086.194] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0086.194] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0086.195] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0086.195] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0086.195] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0086.195] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0086.195] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0086.196] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0087.122] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0087.465] GetProcAddress (hModule=0x772d0000, lpProcName="DecodePointer") returned 0x779d1ec0 [0088.387] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x214) returned 0x27305a8 [0088.409] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0088.517] GetProcAddress (hModule=0x772d0000, lpProcName="DecodePointer") returned 0x779d1ec0 [0089.741] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0090.008] GetProcAddress (hModule=0x772d0000, lpProcName="EncodePointer") returned 0x779d29e0 [0090.009] GetProcAddress (hModule=0x772d0000, lpProcName="DecodePointer") returned 0x779d1ec0 [0093.283] GetCurrentThreadId () returned 0x11dc [0094.029] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe\" " [0094.482] GetEnvironmentStringsW () returned 0xa2e7d0* [0094.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0094.760] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x565) returned 0x27307c8 [0094.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x27307c8, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0095.213] FreeEnvironmentStringsW (penv=0xa2e7d0) returned 1 [0095.713] GetStartupInfoA (in: lpStartupInfo=0x95e4a4 | out: lpStartupInfo=0x95e4a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0095.733] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x800) returned 0x2730d38 [0096.980] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0096.980] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0096.980] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0097.214] SetHandleCount (uNumber=0x20) returned 0x20 [0097.713] GetLastError () returned 0x0 [0098.401] SetLastError (dwErrCode=0x0) [0098.401] GetLastError () returned 0x0 [0098.401] SetLastError (dwErrCode=0x0) [0098.429] GetLastError () returned 0x0 [0098.429] SetLastError (dwErrCode=0x0) [0099.004] GetACP () returned 0x4e4 [0099.004] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x220) returned 0x2731540 [0099.004] GetLastError () returned 0x0 [0099.004] SetLastError (dwErrCode=0x0) [0099.239] IsValidCodePage (CodePage=0x4e4) returned 1 [0099.330] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x95e484 | out: lpCPInfo=0x95e484) returned 1 [0099.620] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x95df50 | out: lpCPInfo=0x95df50) returned 1 [0099.620] GetLastError () returned 0x0 [0099.621] SetLastError (dwErrCode=0x0) [0099.778] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x95dee0 | out: lpCharType=0x95dee0) returned 1 [0099.778] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95e364, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.856] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95e364, cbMultiByte=256, lpWideCharStr=0x95dcc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0099.872] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x95df64 | out: lpCharType=0x95df64) returned 1 [0099.872] GetLastError () returned 0x0 [0099.872] SetLastError (dwErrCode=0x0) [0100.474] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0100.474] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95e364, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.474] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95e364, cbMultiByte=256, lpWideCharStr=0x95dc98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⿋町\x03Ā") returned 256 [0100.496] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⿋町\x03Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0100.852] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⿋町\x03Ā", cchSrc=256, lpDestStr=0x95da88, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0101.016] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x95e264, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ °¾q\x9cä\x95", lpUsedDefaultChar=0x0) returned 256 [0101.016] GetLastError () returned 0x0 [0101.016] SetLastError (dwErrCode=0x0) [0101.016] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95e364, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0101.016] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95e364, cbMultiByte=256, lpWideCharStr=0x95dcb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⿋町\x03Ā") returned 256 [0101.017] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⿋町\x03Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0101.017] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⿋町\x03Ā", cchSrc=256, lpDestStr=0x95daa8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256 [0101.017] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x95e164, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ °¾q\x9cä\x95", lpUsedDefaultChar=0x0) returned 256 [0102.110] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x48528, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\kinodomino.exe")) returned 0x26 [0102.110] GetLastError () returned 0x0 [0102.110] SetLastError (dwErrCode=0x0) [0102.110] GetLastError () returned 0x0 [0102.110] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.111] SetLastError (dwErrCode=0x0) [0102.111] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.112] GetLastError () returned 0x0 [0102.112] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.113] GetLastError () returned 0x0 [0102.113] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.114] SetLastError (dwErrCode=0x0) [0102.114] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x2f) returned 0x2731768 [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.115] SetLastError (dwErrCode=0x0) [0102.115] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.116] GetLastError () returned 0x0 [0102.116] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.117] SetLastError (dwErrCode=0x0) [0102.117] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.118] SetLastError (dwErrCode=0x0) [0102.118] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] GetLastError () returned 0x0 [0102.119] SetLastError (dwErrCode=0x0) [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x94) returned 0x27317a0 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x1f) returned 0x2731840 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x28) returned 0x2731868 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x37) returned 0x2731898 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x3c) returned 0x27318d8 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x31) returned 0x2731920 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x14) returned 0x2731960 [0102.119] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x24) returned 0x2731980 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0xd) returned 0x27319b0 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x17) returned 0x27319c8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x2b) returned 0x27319e8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x15) returned 0x2731a20 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x17) returned 0x2731a40 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x22) returned 0x2731a60 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0xe) returned 0x2731a90 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0xc1) returned 0x2731aa8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x3e) returned 0x2731b78 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x1b) returned 0x2731bc0 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x1d) returned 0x2731be8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x48) returned 0x2731c10 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x12) returned 0x2731c60 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x18) returned 0x2731c80 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x1b) returned 0x2731ca0 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x24) returned 0x2731cc8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x29) returned 0x2731cf8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x1e) returned 0x2731d30 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x6b) returned 0x2731d58 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x17) returned 0x2731dd0 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0xf) returned 0x2731df0 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x16) returned 0x2731e08 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x28) returned 0x2731e28 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x27) returned 0x2731e58 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x12) returned 0x2731e88 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x21) returned 0x2731ea8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x10) returned 0x2731ed8 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x1c) returned 0x2731ef0 [0102.120] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x12) returned 0x2731f18 [0102.121] HeapFree (in: hHeap=0x2730000, dwFlags=0x0, lpMem=0x27307c8 | out: hHeap=0x2730000) returned 1 [0102.933] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x80) returned 0x2731f38 [0102.933] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x8, Size=0x800) returned 0x2731fc0 [0103.141] RtlSizeHeap (HeapHandle=0x2730000, Flags=0x0, MemoryPointer=0x2731f38) returned 0x80 [0124.655] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x50) returned 0x27307c8 [0127.265] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x2c) returned 0x2730820 [0127.332] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x100) returned 0x2730858 [0127.493] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x1c) returned 0x2730960 [0127.494] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x1d0 [0127.904] Thread32First (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0127.953] GetCurrentProcessId () returned 0x11e0 [0127.953] GetCurrentThreadId () returned 0x11dc [0128.055] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.056] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.057] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.058] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.060] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.061] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.062] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.063] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.064] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.066] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.066] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.067] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.068] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.069] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.070] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.071] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.084] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.085] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.086] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.087] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.088] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.089] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.091] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.092] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.093] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.094] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.095] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.096] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.097] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.098] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.099] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.101] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.102] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.103] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.104] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.105] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.106] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.107] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.108] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.109] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.110] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.110] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.111] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.123] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.124] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.125] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.126] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.127] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.129] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.130] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.131] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.132] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.133] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.134] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.136] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.137] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.138] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.139] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.140] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.141] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.143] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.144] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.145] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.146] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.147] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.148] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.149] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.150] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.151] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.152] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.153] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.155] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.156] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.157] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.158] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.602] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.604] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.604] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.605] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.606] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.607] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.608] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.608] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.609] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.610] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.611] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.611] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.612] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.613] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.614] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.614] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.615] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.616] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.617] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.617] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.618] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.619] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.620] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.620] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.621] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.622] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.622] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.623] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.624] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.625] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.626] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.627] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.631] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.632] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.633] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.634] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.634] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.635] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.636] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.637] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.638] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.639] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.640] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.640] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.641] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.642] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.644] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.645] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.645] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.646] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.647] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.648] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.649] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.650] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.651] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.652] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.653] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.654] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.655] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.656] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.657] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.658] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.660] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.661] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.662] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.663] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.664] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.665] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.666] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.667] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.668] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.669] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.670] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.671] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.805] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.806] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.807] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.808] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.809] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.810] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.811] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.812] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.813] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.813] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.814] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.816] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.817] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.818] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.819] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.819] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.820] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.821] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.822] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.823] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.824] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.825] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.826] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.827] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.828] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.829] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.830] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.832] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.832] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.833] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.834] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.835] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.836] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.837] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.838] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.839] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.840] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.841] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.842] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.843] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.844] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.845] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.846] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.875] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.876] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.892] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.894] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.895] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.895] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.896] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.897] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.898] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.899] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.900] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.901] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.902] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.903] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.904] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.905] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.906] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.907] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.908] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.910] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.911] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.912] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.913] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.913] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.914] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.915] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.916] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.917] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.918] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.919] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.920] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.921] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.922] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.923] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0128.923] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.050] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.051] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.052] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.053] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.054] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.055] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.056] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.057] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.058] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.059] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.060] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.060] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.061] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.062] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.063] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.064] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.065] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.066] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.067] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.068] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.069] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.070] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.071] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.072] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.073] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.074] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.075] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.076] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.077] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.077] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.078] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.079] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.080] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.081] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.082] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.083] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.084] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.085] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.086] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.087] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.088] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.089] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.090] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.090] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.091] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.092] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.093] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.094] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.095] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.096] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.103] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.103] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.104] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.105] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.106] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.107] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.108] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.109] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.110] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.111] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.112] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.113] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.114] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.115] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.116] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.117] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.118] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.119] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.120] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.120] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.121] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.122] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.123] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.124] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.125] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.126] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.127] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.128] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.129] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.130] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.131] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.132] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.133] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.134] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.135] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.136] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.137] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.138] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.139] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.140] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.140] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.141] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.142] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.208] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.210] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.211] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.211] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.212] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.213] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.214] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.215] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.216] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.217] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0129.218] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0132.515] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.194] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.895] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.897] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.898] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.899] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.900] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.901] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.903] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.904] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.905] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.906] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.907] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.909] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.910] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.911] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.917] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.918] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.919] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.920] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.921] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.922] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.923] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.924] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.925] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.926] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.927] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.929] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.929] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.931] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.932] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.932] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.933] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.934] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.935] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.936] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.937] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.938] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.939] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.940] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.941] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.941] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.944] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.945] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.945] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.946] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.947] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.948] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.949] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.950] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.951] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.952] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.953] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.954] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.955] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.956] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.957] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.958] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.975] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.976] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.977] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.978] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.980] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.981] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.982] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.983] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.984] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.985] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.986] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.987] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.988] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.990] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.991] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.992] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.993] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.995] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.996] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.997] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0144.999] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.000] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.001] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.002] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.004] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.005] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.006] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.007] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.008] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.009] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.010] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.012] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.013] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.014] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.015] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.016] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.017] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.018] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.019] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.020] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.028] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.029] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.030] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.032] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.035] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.036] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.038] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.039] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.042] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.043] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.072] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.073] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.074] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.075] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.076] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.077] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.078] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.098] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.099] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.100] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.101] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.102] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.103] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.104] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.105] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.106] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.107] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.108] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.109] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.110] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.111] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.112] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.128] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.129] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.131] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.132] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.133] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.134] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.135] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.136] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.137] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.138] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.139] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.140] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.141] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.143] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.144] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.145] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.146] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.147] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.148] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.149] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.150] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.151] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.152] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.153] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.154] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.155] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.156] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.157] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.158] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.162] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.163] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.164] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.165] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.166] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.167] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.167] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.168] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.169] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.170] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.171] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.172] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.174] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.175] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.176] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.177] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.178] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.179] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.180] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.181] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.182] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.183] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.184] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.185] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.186] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.186] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.188] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.189] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.190] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.191] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.192] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.193] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.194] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.195] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.196] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.197] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.198] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.199] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.200] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.201] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.202] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.203] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.204] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.205] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.218] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.220] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.221] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.222] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.223] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.224] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.225] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.226] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.227] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.228] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.229] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.230] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.231] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.232] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.233] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.234] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.235] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.236] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.237] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.238] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.239] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.240] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.241] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.242] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.243] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.244] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.245] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.246] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.247] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.248] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.249] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.250] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.251] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.252] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.253] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.257] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.258] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.259] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.260] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.261] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.262] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.263] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.264] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.265] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.266] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.267] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.268] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.269] Thread32Next (hSnapshot=0x1d0, lpte=0x95e3bc) returned 1 [0145.619] OpenThread (dwDesiredAccess=0x2, bInheritHandle=0, dwThreadId=0x11d8) returned 0x0 [0145.720] CloseHandle (hObject=0x1d0) returned 1 [0148.186] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0xc) returned 0x2730988 [0148.186] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0xa) returned 0x27309a0 [0148.331] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77970000 [0148.401] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0xc) returned 0x27309b8 [0148.401] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x17) returned 0x27309d0 [0148.822] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x10) returned 0x27309f0 [0148.823] GetSystemInfo (in: lpSystemInfo=0x95dec0 | out: lpSystemInfo=0x95dec0*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0148.823] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x970000 [0148.932] GetCurrentProcess () returned 0xffffffff [0148.932] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x970005, lpBuffer=0x95dea4*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x95dea4*, lpNumberOfBytesWritten=0x0) returned 1 [0149.312] GetCurrentProcess () returned 0xffffffff [0149.312] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x97000f, lpBuffer=0x95dea8*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x95dea8*, lpNumberOfBytesWritten=0x0) returned 1 [0149.322] GetCurrentProcess () returned 0xffffffff [0149.322] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x779e2210, lpBuffer=0x95dea4*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x95dea4*, lpNumberOfBytesWritten=0x0) returned 1 [0149.327] GetCurrentProcess () returned 0xffffffff [0149.422] VirtualProtect (in: lpAddress=0x970000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x95dee4 | out: lpflOldProtect=0x95dee4*=0x40) returned 1 [0149.423] GetCurrentProcess () returned 0xffffffff [0149.424] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x4) returned 0x2730a08 [0149.455] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0xc) returned 0x2730a18 [0149.455] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x13) returned 0x2730a30 [0149.463] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x10) returned 0x2730a50 [0149.463] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x980000 [0149.464] GetCurrentProcess () returned 0xffffffff [0149.464] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x980007, lpBuffer=0x95dea4*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x95dea4*, lpNumberOfBytesWritten=0x0) returned 1 [0149.467] GetCurrentProcess () returned 0xffffffff [0149.467] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x980013, lpBuffer=0x95dea8*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x95dea8*, lpNumberOfBytesWritten=0x0) returned 1 [0149.471] GetCurrentProcess () returned 0xffffffff [0149.471] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x77a1a520, lpBuffer=0x95dea4*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x95dea4*, lpNumberOfBytesWritten=0x0) returned 1 [0149.472] GetCurrentProcess () returned 0xffffffff [0149.473] GetCurrentProcess () returned 0xffffffff [0149.474] VirtualProtect (in: lpAddress=0x980000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x95dee4 | out: lpflOldProtect=0x95dee4*=0x40) returned 1 [0149.474] GetCurrentProcess () returned 0xffffffff [0149.480] RtlAllocateHeap (HeapHandle=0x2730000, Flags=0x0, Size=0x8) returned 0x2730a68 [0149.480] HeapFree (in: hHeap=0x2730000, dwFlags=0x0, lpMem=0x2730a08 | out: hHeap=0x2730000) returned 1 [0173.345] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f67c*=0x20000, NumberOfBytesToProtect=0x95f674, NewAccessProtection=0x20, OldAccessProtection=0x95f9bc | out: BaseAddress=0x95f67c*=0x20000, NumberOfBytesToProtect=0x95f674, OldAccessProtection=0x95f9bc*=0x40) returned 0x0 [0173.633] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f67c*=0x1a000, NumberOfBytesToProtect=0x95f674, NewAccessProtection=0x2, OldAccessProtection=0x95f9bc | out: BaseAddress=0x95f67c*=0x1a000, NumberOfBytesToProtect=0x95f674, OldAccessProtection=0x95f9bc*=0x4) returned 0x0 [0173.634] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x95f67c*=0x45000, NumberOfBytesToProtect=0x95f674, NewAccessProtection=0x4, OldAccessProtection=0x95f9bc | out: BaseAddress=0x95f67c*=0x45000, NumberOfBytesToProtect=0x95f674, OldAccessProtection=0x95f9bc*=0x20) returned 0x0 [0193.103] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0193.140] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x28d0000 [0193.197] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0193.218] GetProcAddress (hModule=0x772d0000, lpProcName="FlsAlloc") returned 0x772e4ae0 [0193.219] GetProcAddress (hModule=0x772d0000, lpProcName="FlsGetValue") returned 0x772e4b20 [0193.219] GetProcAddress (hModule=0x772d0000, lpProcName="FlsSetValue") returned 0x772e4b40 [0193.219] GetProcAddress (hModule=0x772d0000, lpProcName="FlsFree") returned 0x772e4b00 [0193.331] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x214) returned 0x28d05a8 [0193.370] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0193.582] GetCurrentThreadId () returned 0x11dc [0193.623] GetStartupInfoW (in: lpStartupInfo=0x95fab4 | out: lpStartupInfo=0x95fab4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0193.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x800) returned 0x28d07c8 [0193.706] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0193.706] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0193.706] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0193.706] SetHandleCount (uNumber=0x20) returned 0x20 [0193.724] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe\" " [0193.766] GetEnvironmentStringsW () returned 0xa2e7d0* [0193.825] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0193.825] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x565) returned 0x28d0fd0 [0193.826] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x28d0fd0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0193.863] FreeEnvironmentStringsW (penv=0xa2e7d0) returned 1 [0193.863] GetLastError () returned 0x12 [0193.920] SetLastError (dwErrCode=0x12) [0193.920] GetLastError () returned 0x12 [0193.920] SetLastError (dwErrCode=0x12) [0193.920] GetLastError () returned 0x12 [0193.920] SetLastError (dwErrCode=0x12) [0193.920] GetACP () returned 0x4e4 [0193.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x220) returned 0x28d1540 [0193.920] GetLastError () returned 0x12 [0193.920] SetLastError (dwErrCode=0x12) [0193.920] IsValidCodePage (CodePage=0x4e4) returned 1 [0193.939] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x95fa7c | out: lpCPInfo=0x95fa7c) returned 1 [0193.956] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x95f548 | out: lpCPInfo=0x95f548) returned 1 [0193.956] GetLastError () returned 0x12 [0193.956] SetLastError (dwErrCode=0x12) [0193.979] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95f95c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0193.979] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95f95c, cbMultiByte=256, lpWideCharStr=0x95f2c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矰\x01Ā") returned 256 [0193.995] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矰\x01Ā", cchSrc=256, lpCharType=0x95f55c | out: lpCharType=0x95f55c) returned 1 [0193.996] GetLastError () returned 0x12 [0193.996] SetLastError (dwErrCode=0x12) [0193.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95f95c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0193.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95f95c, cbMultiByte=256, lpWideCharStr=0x95f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0193.996] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0193.996] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x95f088, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0194.055] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x95f85c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿf\x1c@\x99\x94ú\x95", lpUsedDefaultChar=0x0) returned 256 [0194.055] GetLastError () returned 0x12 [0194.055] SetLastError (dwErrCode=0x12) [0194.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95f95c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0194.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x95f95c, cbMultiByte=256, lpWideCharStr=0x95f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0194.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0194.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x95f0a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0194.055] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x95f75c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿf\x1c@\x99\x94ú\x95", lpUsedDefaultChar=0x0) returned 256 [0194.151] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1f650, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\kinodomino.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\kinodomino.exe")) returned 0x26 [0194.151] GetLastError () returned 0x0 [0194.151] SetLastError (dwErrCode=0x0) [0194.151] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.152] SetLastError (dwErrCode=0x0) [0194.152] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.153] GetLastError () returned 0x0 [0194.153] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.154] GetLastError () returned 0x0 [0194.154] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x2f) returned 0x28d1768 [0194.155] GetLastError () returned 0x0 [0194.155] SetLastError (dwErrCode=0x0) [0194.155] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.156] SetLastError (dwErrCode=0x0) [0194.156] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.157] SetLastError (dwErrCode=0x0) [0194.157] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.158] SetLastError (dwErrCode=0x0) [0194.158] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.159] SetLastError (dwErrCode=0x0) [0194.159] GetLastError () returned 0x0 [0194.160] SetLastError (dwErrCode=0x0) [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x94) returned 0x28d17a0 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x1f) returned 0x28d1840 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x28) returned 0x28d1868 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x37) returned 0x28d1898 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x3c) returned 0x28d18d8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x31) returned 0x28d1920 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x14) returned 0x28d1960 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x24) returned 0x28d1980 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0xd) returned 0x28d19b0 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x17) returned 0x28d19c8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x2b) returned 0x28d19e8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x15) returned 0x28d1a20 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x17) returned 0x28d1a40 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x22) returned 0x28d1a60 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0xe) returned 0x28d1a90 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0xc1) returned 0x28d1aa8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x3e) returned 0x28d1b78 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x1b) returned 0x28d1bc0 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x1d) returned 0x28d1be8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x48) returned 0x28d1c10 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x12) returned 0x28d1c60 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x18) returned 0x28d1c80 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x1b) returned 0x28d1ca0 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x24) returned 0x28d1cc8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x29) returned 0x28d1cf8 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x1e) returned 0x28d1d30 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x6b) returned 0x28d1d58 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x17) returned 0x28d1dd0 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0xf) returned 0x28d1df0 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x16) returned 0x28d1e08 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x28) returned 0x28d1e28 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x27) returned 0x28d1e58 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x12) returned 0x28d1e88 [0194.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x21) returned 0x28d1ea8 [0194.161] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x10) returned 0x28d1ed8 [0194.161] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x1c) returned 0x28d1ef0 [0194.161] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x12) returned 0x28d1f18 [0194.241] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d0fd0 | out: hHeap=0x28d0000) returned 1 [0194.241] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x8, Size=0x80) returned 0x28d1f38 [0194.348] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0194.348] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x14b39) returned 0x0 [0194.444] RtlSizeHeap (HeapHandle=0x28d0000, Flags=0x0, MemoryPointer=0x28d1f38) returned 0x80 [0194.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x180) returned 0x28d0fd0 [0194.499] RtlSizeHeap (HeapHandle=0x28d0000, Flags=0x0, MemoryPointer=0x28d1f38) returned 0x80 [0194.500] RtlSizeHeap (HeapHandle=0x28d0000, Flags=0x0, MemoryPointer=0x28d1f38) returned 0x80 [0194.500] RtlSizeHeap (HeapHandle=0x28d0000, Flags=0x0, MemoryPointer=0x28d1f38) returned 0x80 [0194.561] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Den'gi plyvut v karmany rekoy. My khodim po krayu nozha...") returned 0x1d0 [0194.581] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x0) returned 0x0 [0194.628] GetLastError () returned 0x0 [0194.628] CryptAcquireContextA (in: phProv=0x1f96c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1f96c*=0xa16700) returned 1 [0198.464] GetCurrentProcess () returned 0xffffffff [0200.139] GetCurrentProcess () returned 0xffffffff [0200.140] GetCurrentProcess () returned 0xffffffff [0200.143] GetCurrentProcess () returned 0xffffffff [0200.146] GetCurrentProcess () returned 0xffffffff [0200.148] GetCurrentProcess () returned 0xffffffff [0200.149] GetCurrentProcess () returned 0xffffffff [0201.132] GetCurrentProcess () returned 0xffffffff [0201.589] GetCurrentProcess () returned 0xffffffff [0201.590] GetCurrentProcess () returned 0xffffffff [0201.592] GetCurrentProcess () returned 0xffffffff [0201.637] GetCurrentProcess () returned 0xffffffff [0202.110] GetCurrentProcess () returned 0xffffffff [0202.111] GetCurrentProcess () returned 0xffffffff [0202.112] GetCurrentProcess () returned 0xffffffff [0202.114] GetCurrentProcess () returned 0xffffffff [0202.114] GetCurrentProcess () returned 0xffffffff [0202.124] GetCurrentProcess () returned 0xffffffff [0202.125] GetCurrentProcess () returned 0xffffffff [0202.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1158 [0202.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x42) returned 0x28d11b0 [0202.126] CryptCreateHash (in: hProv=0xa16700, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x1f970 | out: phHash=0x1f970) returned 1 [0202.160] CryptHashData (hHash=0xa26968, pbData=0x28d11b0, dwDataLen=0x42, dwFlags=0x0) returned 1 [0202.182] CryptDeriveKey (in: hProv=0xa16700, Algid=0x6801, hBaseData=0xa26968, dwFlags=0x1, phKey=0x1f968 | out: phKey=0x1f968*=0xa26828) returned 1 [0202.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d11b0 | out: hHeap=0x28d0000) returned 1 [0202.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1158 | out: hHeap=0x28d0000) returned 1 [0202.183] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x7) returned 0x28d1fc0 [0202.183] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x114) returned 0x28d1158 [0202.183] CryptAcquireContextA (in: phProv=0x1f960, szContainer="rsa public", szProvider=0x0, dwProvType=0x1, dwFlags=0x0 | out: phProv=0x1f960*=0x0) returned 0 [0202.191] GetCurrentProcess () returned 0xffffffff [0203.457] GetCurrentProcess () returned 0xffffffff [0203.458] GetCurrentProcess () returned 0xffffffff [0203.459] GetCurrentProcess () returned 0xffffffff [0203.461] GetCurrentProcess () returned 0xffffffff [0203.463] GetCurrentProcess () returned 0xffffffff [0203.464] GetCurrentProcess () returned 0xffffffff [0203.464] GetCurrentProcess () returned 0xffffffff [0203.465] GetCurrentProcess () returned 0xffffffff [0203.469] GetCurrentProcess () returned 0xffffffff [0203.469] GetCurrentProcess () returned 0xffffffff [0203.470] GetCurrentProcess () returned 0xffffffff [0203.471] GetCurrentProcess () returned 0xffffffff [0203.481] CryptAcquireContextA (in: phProv=0x1f960, szContainer="rsa public", szProvider=0x0, dwProvType=0x1, dwFlags=0x8 | out: phProv=0x1f960*=0xa20c98) returned 1 [0203.613] GetCurrentProcess () returned 0xffffffff [0216.454] GetCurrentProcess () returned 0xffffffff [0226.837] GetCurrentProcess () returned 0xffffffff [0227.271] GetCurrentProcess () returned 0xffffffff [0227.274] GetCurrentProcess () returned 0xffffffff [0227.455] GetCurrentProcess () returned 0xffffffff [0227.475] GetCurrentProcess () returned 0xffffffff [0227.479] GetCurrentProcess () returned 0xffffffff [0227.480] GetCurrentProcess () returned 0xffffffff [0227.488] GetCurrentProcess () returned 0xffffffff [0227.489] GetCurrentProcess () returned 0xffffffff [0227.499] GetCurrentProcess () returned 0xffffffff [0227.509] GetCurrentProcess () returned 0xffffffff [0227.510] GetCurrentProcess () returned 0xffffffff [0227.512] GetCurrentProcess () returned 0xffffffff [0227.513] GetCurrentProcess () returned 0xffffffff [0227.514] GetCurrentProcess () returned 0xffffffff [0227.515] GetCurrentProcess () returned 0xffffffff [0227.516] GetCurrentProcess () returned 0xffffffff [0227.517] GetCurrentProcess () returned 0xffffffff [0227.561] GetCurrentProcess () returned 0xffffffff [0227.562] GetCurrentProcess () returned 0xffffffff [0227.660] CryptImportKey (in: hProv=0xa20c98, pbData=0x28d1158, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x1f964 | out: phKey=0x1f964*=0xa2f4e0) returned 1 [0227.661] GetLogicalDrives () returned 0x4 [0227.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0227.661] GetProcessHeap () returned 0xa10000 [0227.661] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4) returned 0xa33170 [0227.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0227.825] CreateFileW (lpFileName="C:\\NEFILIM-DECRYPT.txt" (normalized: "c:\\nefilim-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0227.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0227.827] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0227.827] GetProcessHeap () returned 0xa10000 [0227.827] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x34e) returned 0xa36d80 [0227.827] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0227.827] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0227.827] CryptDecrypt (in: hKey=0xa26828, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa36d80, pdwDataLen=0x95f9c4 | out: pbData=0xa36d80, pdwDataLen=0x95f9c4) returned 1 [0227.827] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0227.907] WriteFile (in: hFile=0x1d8, lpBuffer=0xa36d80*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x95f9c0, lpOverlapped=0x0 | out: lpBuffer=0xa36d80*, lpNumberOfBytesWritten=0x95f9c0*=0x34e, lpOverlapped=0x0) returned 1 [0227.929] CloseHandle (hObject=0x1d8) returned 1 [0227.936] GetProcessHeap () returned 0xa10000 [0228.002] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa36d80 | out: hHeap=0xa10000) returned 1 [0228.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12049, lpParameter=0xa33170, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d8 [0228.124] Sleep (dwMilliseconds=0x1f4) [0228.667] WaitForSingleObject (hHandle=0x1d8, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x11d8 Thread: id = 3 os_tid = 0x13e8 Thread: id = 4 os_tid = 0xcd4 [0228.102] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xa2f2a0 [0228.103] lstrcmpiW (lpString1="$GetCurrent", lpString2=".") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="..") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="...") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="windows") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="$RECYCLE.BIN") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="rsa") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="NTDETECT.COM") returned -1 [0228.104] lstrcmpiW (lpString1="$GetCurrent", lpString2="ntldr") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="MSDOS.SYS") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="IO.SYS") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="boot.ini") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="AUTOEXEC.BAT") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="ntuser.dat") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="desktop.ini") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="CONFIG.SYS") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="RECYCLER") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="BOOTSECT.BAK") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="bootmgr") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="programdata") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="appdata") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="program files") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="program files (x86)") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="microsoft") returned -1 [0228.105] lstrcmpiW (lpString1="$GetCurrent", lpString2="sophos") returned -1 [0228.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1278 [0228.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12a0 [0228.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12c8 [0228.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f0 [0228.105] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a, dwReserved1=0xa100c0, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0228.123] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0228.123] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a, dwReserved1=0xa100c0, cFileName="..", cAlternateFileName="")) returned 1 [0228.123] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0228.123] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0228.123] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a, dwReserved1=0xa100c0, cFileName="Logs", cAlternateFileName="")) returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0228.123] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0228.124] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0228.124] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0228.124] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0228.124] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0228.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1328 [0228.124] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0228.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f0 [0228.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1360 [0228.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1398 [0228.124] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0228.140] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0228.140] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0228.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0228.140] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0228.140] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2=".") returned 1 [0228.140] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="..") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="...") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="windows") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="$RECYCLE.BIN") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="rsa") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="NTDETECT.COM") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="ntldr") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="MSDOS.SYS") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="IO.SYS") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="boot.ini") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="AUTOEXEC.BAT") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="ntuser.dat") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="desktop.ini") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="CONFIG.SYS") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="RECYCLER") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="BOOTSECT.BAK") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="bootmgr") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="programdata") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="appdata") returned 1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="program files") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="program files (x86)") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="microsoft") returned -1 [0228.141] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="sophos") returned -1 [0228.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d13d0 [0228.141] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0228.141] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log") returned=".log" [0228.142] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0228.142] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0228.142] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2=".") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="..") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="...") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="windows") returned -1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="$RECYCLE.BIN") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="rsa") returned -1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="NTDETECT.COM") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="ntldr") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="MSDOS.SYS") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="IO.SYS") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="boot.ini") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="AUTOEXEC.BAT") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="ntuser.dat") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="desktop.ini") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="CONFIG.SYS") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="RECYCLER") returned -1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="BOOTSECT.BAK") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="bootmgr") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="programdata") returned -1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="appdata") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="program files") returned -1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="program files (x86)") returned -1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="microsoft") returned 1 [0228.142] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="sophos") returned -1 [0228.143] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1458 [0228.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13d0 | out: hHeap=0x28d0000) returned 1 [0228.143] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log") returned=".log" [0228.143] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0228.143] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0228.143] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2=".") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="..") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="...") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="windows") returned -1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="$RECYCLE.BIN") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="rsa") returned -1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="NTDETECT.COM") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="ntldr") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="MSDOS.SYS") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="IO.SYS") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="boot.ini") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="AUTOEXEC.BAT") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="ntuser.dat") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="desktop.ini") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="CONFIG.SYS") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="RECYCLER") returned -1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="BOOTSECT.BAK") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="bootmgr") returned 1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="programdata") returned -1 [0228.143] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="appdata") returned 1 [0228.144] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="program files") returned -1 [0228.144] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="program files (x86)") returned -1 [0228.144] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="microsoft") returned 1 [0228.144] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="sophos") returned -1 [0228.144] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1398 [0228.144] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1458 | out: hHeap=0x28d0000) returned 1 [0228.144] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log") returned=".log" [0228.144] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0228.144] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0228.144] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0228.144] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0228.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0228.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1360 | out: hHeap=0x28d0000) returned 1 [0228.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0228.145] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a, dwReserved1=0xa100c0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0228.145] lstrcmpiW (lpString1="SafeOS", lpString2=".") returned 1 [0228.145] lstrcmpiW (lpString1="SafeOS", lpString2="..") returned 1 [0228.145] lstrcmpiW (lpString1="SafeOS", lpString2="...") returned 1 [0228.145] lstrcmpiW (lpString1="SafeOS", lpString2="windows") returned -1 [0228.145] lstrcmpiW (lpString1="SafeOS", lpString2="$RECYCLE.BIN") returned 1 [0228.145] lstrcmpiW (lpString1="SafeOS", lpString2="rsa") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="NTDETECT.COM") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="ntldr") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="MSDOS.SYS") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="IO.SYS") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="boot.ini") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="AUTOEXEC.BAT") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="ntuser.dat") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="desktop.ini") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="CONFIG.SYS") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="RECYCLER") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="BOOTSECT.BAK") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="bootmgr") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="programdata") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="appdata") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="program files") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="program files (x86)") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="microsoft") returned 1 [0228.146] lstrcmpiW (lpString1="SafeOS", lpString2="sophos") returned -1 [0228.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f0 [0228.146] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1328 | out: hHeap=0x28d0000) returned 1 [0228.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1328 [0228.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1360 [0228.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1398 [0228.146] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0228.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0228.158] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0228.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0228.158] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="...") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$RECYCLE.BIN") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="rsa") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="NTDETECT.COM") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntldr") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="MSDOS.SYS") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="IO.SYS") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="boot.ini") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="AUTOEXEC.BAT") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntuser.dat") returned -1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="desktop.ini") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="CONFIG.SYS") returned 1 [0228.158] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="RECYCLER") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="BOOTSECT.BAK") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="bootmgr") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="programdata") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="appdata") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files (x86)") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="microsoft") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="sophos") returned -1 [0228.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0228.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0228.159] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0228.159] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0228.159] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2=".") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="..") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="...") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="windows") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="$RECYCLE.BIN") returned 1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="rsa") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="NTDETECT.COM") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="ntldr") returned -1 [0228.159] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="MSDOS.SYS") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="IO.SYS") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="boot.ini") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="AUTOEXEC.BAT") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="ntuser.dat") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="desktop.ini") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="CONFIG.SYS") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="RECYCLER") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="BOOTSECT.BAK") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="bootmgr") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="programdata") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="appdata") returned 1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="program files") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="program files (x86)") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="microsoft") returned -1 [0228.160] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="sophos") returned -1 [0228.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1448 [0228.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0228.160] PathFindExtensionW (pszPath="GetCurrentRollback.ini") returned=".ini" [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0228.160] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0228.160] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2=".") returned 1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="..") returned 1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="...") returned 1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="windows") returned -1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="$RECYCLE.BIN") returned 1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="rsa") returned -1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="NTDETECT.COM") returned 1 [0228.160] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="ntldr") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="MSDOS.SYS") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="IO.SYS") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="boot.ini") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="ntuser.dat") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="desktop.ini") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="CONFIG.SYS") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="RECYCLER") returned -1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="BOOTSECT.BAK") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="bootmgr") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="programdata") returned -1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="appdata") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="program files") returned -1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="program files (x86)") returned -1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="microsoft") returned 1 [0228.161] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="sophos") returned -1 [0228.161] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14b0 [0228.161] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1448 | out: hHeap=0x28d0000) returned 1 [0228.161] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0228.161] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0228.161] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0228.161] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0228.161] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0228.161] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0228.161] lstrcmpiW (lpString1="preoobe.cmd", lpString2=".") returned 1 [0228.161] lstrcmpiW (lpString1="preoobe.cmd", lpString2="..") returned 1 [0228.161] lstrcmpiW (lpString1="preoobe.cmd", lpString2="...") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="windows") returned -1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="$RECYCLE.BIN") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="rsa") returned -1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="NTDETECT.COM") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="ntldr") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="MSDOS.SYS") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="IO.SYS") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="boot.ini") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="ntuser.dat") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="desktop.ini") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="CONFIG.SYS") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="RECYCLER") returned -1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="BOOTSECT.BAK") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="bootmgr") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="programdata") returned -1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="appdata") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="program files") returned -1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="program files (x86)") returned -1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="microsoft") returned 1 [0228.162] lstrcmpiW (lpString1="preoobe.cmd", lpString2="sophos") returned -1 [0228.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1398 [0228.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b0 | out: hHeap=0x28d0000) returned 1 [0228.162] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0228.162] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0228.162] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0228.162] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0228.162] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0228.162] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0228.162] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2=".") returned 1 [0228.162] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="..") returned 1 [0228.162] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="...") returned 1 [0228.162] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="windows") returned -1 [0228.162] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="$RECYCLE.BIN") returned 1 [0228.162] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="rsa") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="NTDETECT.COM") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="ntldr") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="MSDOS.SYS") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="IO.SYS") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="boot.ini") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="ntuser.dat") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="desktop.ini") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="CONFIG.SYS") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="RECYCLER") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="BOOTSECT.BAK") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="bootmgr") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="programdata") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="appdata") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="program files") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="program files (x86)") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="microsoft") returned 1 [0228.163] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="sophos") returned -1 [0228.163] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d13f0 [0228.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0228.163] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0228.163] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0228.163] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0228.163] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0228.163] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0228.163] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0228.163] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0228.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f0 | out: hHeap=0x28d0000) returned 1 [0228.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1360 | out: hHeap=0x28d0000) returned 1 [0228.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1328 | out: hHeap=0x28d0000) returned 1 [0228.164] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a, dwReserved1=0xa100c0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0228.164] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0228.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0228.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c8 | out: hHeap=0x28d0000) returned 1 [0228.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12a0 | out: hHeap=0x28d0000) returned 1 [0228.164] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0228.165] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0228.165] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0228.165] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="...") returned -1 [0228.165] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0228.165] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$RECYCLE.BIN") returned 0 [0228.165] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="..") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="...") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="windows") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="$RECYCLE.BIN") returned 1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="rsa") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="NTDETECT.COM") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="ntldr") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="MSDOS.SYS") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="IO.SYS") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="boot.ini") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="AUTOEXEC.BAT") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="ntuser.dat") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="desktop.ini") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="CONFIG.SYS") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="RECYCLER") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="BOOTSECT.BAK") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="bootmgr") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="programdata") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="appdata") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="program files") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="program files (x86)") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="microsoft") returned -1 [0228.165] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="sophos") returned -1 [0228.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12a0 [0228.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0228.166] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".exe") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".log") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".cab") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".cmd") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".com") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".cpl") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".ini") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".dll") returned 1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".url") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".ttf") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".mp3") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".pif") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".mp4") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".NEFILIM") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".msi") returned -1 [0228.166] lstrcmpiW (lpString1=".MARKER", lpString2=".lnk") returned 1 [0228.166] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0228.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12f8 [0228.199] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x25c [0228.224] GetFileSizeEx (in: hFile=0x25c, lpFileSize=0x26ef5a8 | out: lpFileSize=0x26ef5a8*=0) returned 1 [0228.224] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1fd0 [0228.224] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1278 [0228.225] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x756e0000 [0228.225] GetProcAddress (hModule=0x756e0000, lpProcName="SystemFunction036") returned 0x744329e0 [0228.225] SystemFunction036 (in: RandomBuffer=0x28d1fd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1fd0) returned 1 [0228.225] SystemFunction036 (in: RandomBuffer=0x28d1278, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1278) returned 1 [0228.225] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1350 [0228.225] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fe8 [0228.357] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1350*, pdwDataLen=0x26ef568*=0x10, dwBufLen=0x100 | out: pbData=0x28d1350*, pdwDataLen=0x26ef568*=0x100) returned 1 [0228.358] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fe8*, pdwDataLen=0x26ef564*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fe8*, pdwDataLen=0x26ef564*=0x100) returned 1 [0228.358] GetTickCount () returned 0x117987a [0228.359] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1458 [0228.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1458 | out: hHeap=0x28d0000) returned 1 [0228.359] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.375] SetLastError (dwErrCode=0x0) [0228.375] WriteFile (in: hFile=0x25c, lpBuffer=0x28d1350*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0x28d1350*, lpNumberOfBytesWritten=0x26ef5c0*=0x100, lpOverlapped=0x0) returned 1 [0228.376] GetLastError () returned 0x0 [0228.468] GetLastError () returned 0x0 [0228.468] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.468] WriteFile (in: hFile=0x25c, lpBuffer=0x28d1fe8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fe8*, lpNumberOfBytesWritten=0x26ef5c0*=0x100, lpOverlapped=0x0) returned 1 [0228.469] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.469] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef57c | out: lpSystemTimeAsFileTime=0x26ef57c*(dwLowDateTime=0xae7e4142, dwHighDateTime=0x1d5fd73)) [0228.469] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1458 [0228.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1458 | out: hHeap=0x28d0000) returned 1 [0228.494] WriteFile (in: hFile=0x25c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef5c0*=0x7, lpOverlapped=0x0) returned 1 [0228.495] GetProcessHeap () returned 0xa10000 [0228.495] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x0) returned 0xa330a0 [0228.601] GetSystemDefaultLangID () returned 0xa20409 [0228.601] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.667] ReadFile (in: hFile=0x25c, lpBuffer=0xa330a0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x26ef5cc, lpOverlapped=0x0 | out: lpBuffer=0xa330a0*, lpNumberOfBytesRead=0x26ef5cc*=0x0, lpOverlapped=0x0) returned 1 [0228.667] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.688] WriteFile (in: hFile=0x25c, lpBuffer=0xa330a0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0xa330a0*, lpNumberOfBytesWritten=0x26ef5c0*=0x0, lpOverlapped=0x0) returned 1 [0228.688] GetProcessHeap () returned 0xa10000 [0228.726] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa330a0 | out: hHeap=0xa10000) returned 1 [0228.726] CloseHandle (hObject=0x25c) returned 1 [0228.727] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1350 | out: hHeap=0x28d0000) returned 1 [0228.727] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fe8 | out: hHeap=0x28d0000) returned 1 [0228.727] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.728] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0228.728] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1350 [0228.728] MoveFileW (lpExistingFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER.NEFILIM" (normalized: "c:\\$winre_backup_partition.marker.nefilim")) returned 1 [0228.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1350 | out: hHeap=0x28d0000) returned 1 [0228.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f8 | out: hHeap=0x28d0000) returned 1 [0228.729] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="...") returned 1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="windows") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="$RECYCLE.BIN") returned 1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="rsa") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="NTDETECT.COM") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="ntldr") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="MSDOS.SYS") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="IO.SYS") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="boot.ini") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="AUTOEXEC.BAT") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="ntuser.dat") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="desktop.ini") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="CONFIG.SYS") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="RECYCLER") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="BOOTSECT.BAK") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="bootmgr") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="programdata") returned -1 [0228.729] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="appdata") returned -1 [0228.730] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="program files") returned -1 [0228.730] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="program files (x86)") returned -1 [0228.730] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="microsoft") returned -1 [0228.730] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="sophos") returned -1 [0228.730] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f8 [0228.730] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12a0 | out: hHeap=0x28d0000) returned 1 [0228.730] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0228.730] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0228.730] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0228.730] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0228.739] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0228.739] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="..", cAlternateFileName="")) returned 1 [0228.758] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0228.758] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0228.758] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1025", cAlternateFileName="")) returned 1 [0228.759] lstrcmpiW (lpString1="1025", lpString2=".") returned 1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="..") returned 1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="...") returned 1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="windows") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="$RECYCLE.BIN") returned 1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="rsa") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="NTDETECT.COM") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="ntldr") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="MSDOS.SYS") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="IO.SYS") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="boot.ini") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="AUTOEXEC.BAT") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="ntuser.dat") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="desktop.ini") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="CONFIG.SYS") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="RECYCLER") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="BOOTSECT.BAK") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="bootmgr") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="programdata") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="appdata") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="program files") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="program files (x86)") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="microsoft") returned -1 [0228.759] lstrcmpiW (lpString1="1025", lpString2="sophos") returned -1 [0228.759] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0228.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0228.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0228.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0228.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0228.760] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0228.761] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0228.761] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.761] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0228.761] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0228.761] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0228.761] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0228.762] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0228.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0228.762] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.762] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0228.762] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0228.763] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0228.763] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0228.763] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0228.763] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0228.763] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0228.763] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0228.765] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=7567) returned 1 [0228.765] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0228.765] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0228.765] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0228.765] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0228.765] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0228.766] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0228.766] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0228.766] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0228.767] GetTickCount () returned 0x1179a10 [0228.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0228.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.767] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1d8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.767] SetLastError (dwErrCode=0x0) [0228.767] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0228.769] GetLastError () returned 0x0 [0228.769] GetLastError () returned 0x0 [0228.769] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1e8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.769] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0228.770] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1f8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.770] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaeab8d23, dwHighDateTime=0x1d5fd73)) [0228.770] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0228.770] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.770] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0228.770] GetProcessHeap () returned 0xa10000 [0228.770] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1d8f) returned 0xa3ae80 [0228.770] GetSystemDefaultLangID () returned 0xa20409 [0228.770] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.770] ReadFile (in: hFile=0x264, lpBuffer=0xa3ae80, nNumberOfBytesToRead=0x1d8f, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3ae80*, lpNumberOfBytesRead=0x26eef8c*=0x1d8f, lpOverlapped=0x0) returned 1 [0228.772] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.772] WriteFile (in: hFile=0x264, lpBuffer=0xa3ae80*, nNumberOfBytesToWrite=0x1d8f, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3ae80*, lpNumberOfBytesWritten=0x26eef80*=0x1d8f, lpOverlapped=0x0) returned 1 [0228.772] GetProcessHeap () returned 0xa10000 [0228.772] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3ae80 | out: hHeap=0xa10000) returned 1 [0228.772] CloseHandle (hObject=0x264) returned 1 [0228.774] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.774] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0228.774] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0228.775] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0228.775] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0228.775] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.nefilim")) returned 1 [0228.778] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.778] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0228.778] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0228.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0228.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0228.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0228.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0228.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0228.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0228.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0228.779] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0228.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0228.779] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0228.779] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0228.780] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0228.780] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0228.780] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0228.780] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0228.780] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0228.781] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=74214) returned 1 [0228.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0228.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0228.781] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0228.781] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0228.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0228.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0228.781] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0228.782] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0228.782] GetTickCount () returned 0x1179a20 [0228.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0228.782] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0228.782] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x121e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.782] SetLastError (dwErrCode=0x0) [0228.782] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0228.784] GetLastError () returned 0x0 [0228.784] GetLastError () returned 0x0 [0228.785] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x122e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.785] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0228.785] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x123e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.785] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaeadef09, dwHighDateTime=0x1d5fd73)) [0228.785] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0228.785] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0228.785] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0228.785] GetProcessHeap () returned 0xa10000 [0228.785] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x121e6) returned 0xa3ae80 [0228.786] GetSystemDefaultLangID () returned 0xa20409 [0228.786] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.786] ReadFile (in: hFile=0x264, lpBuffer=0xa3ae80, nNumberOfBytesToRead=0x121e6, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3ae80*, lpNumberOfBytesRead=0x26eef8c*=0x121e6, lpOverlapped=0x0) returned 1 [0228.829] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.829] WriteFile (in: hFile=0x264, lpBuffer=0xa3ae80*, nNumberOfBytesToWrite=0x121e6, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3ae80*, lpNumberOfBytesWritten=0x26eef80*=0x121e6, lpOverlapped=0x0) returned 1 [0228.830] GetProcessHeap () returned 0xa10000 [0228.830] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3ae80 | out: hHeap=0xa10000) returned 1 [0228.830] CloseHandle (hObject=0x264) returned 1 [0228.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.834] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0228.834] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0228.834] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0228.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0228.834] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.nefilim")) returned 1 [0228.835] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.835] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.835] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0228.835] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0228.835] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0228.835] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0228.835] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0228.835] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0228.835] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0228.836] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0228.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0228.836] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0228.836] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0228.836] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0228.836] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0228.836] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0228.837] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0228.837] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0228.837] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0228.837] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0228.837] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0228.837] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0228.837] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0228.837] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.837] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0228.837] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0228.837] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1028", cAlternateFileName="")) returned 1 [0228.837] lstrcmpiW (lpString1="1028", lpString2=".") returned 1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="..") returned 1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="...") returned 1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="windows") returned -1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="$RECYCLE.BIN") returned 1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="rsa") returned -1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="NTDETECT.COM") returned -1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="ntldr") returned -1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="MSDOS.SYS") returned -1 [0228.837] lstrcmpiW (lpString1="1028", lpString2="IO.SYS") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="boot.ini") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="AUTOEXEC.BAT") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="ntuser.dat") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="desktop.ini") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="CONFIG.SYS") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="RECYCLER") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="BOOTSECT.BAK") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="bootmgr") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="programdata") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="appdata") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="program files") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="program files (x86)") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="microsoft") returned -1 [0228.838] lstrcmpiW (lpString1="1028", lpString2="sophos") returned -1 [0228.838] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0228.838] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0228.838] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0228.838] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0228.838] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0228.839] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0228.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0228.840] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0228.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0228.840] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0228.840] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0228.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0228.841] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.841] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0228.841] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0228.841] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0228.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0228.841] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0228.842] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=6309) returned 1 [0228.842] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0228.842] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0228.842] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0228.842] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0228.842] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0228.842] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0228.842] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0228.843] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0228.844] GetTickCount () returned 0x1179a5e [0228.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0228.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.844] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x18a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.844] SetLastError (dwErrCode=0x0) [0228.844] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0228.854] GetLastError () returned 0x0 [0228.854] GetLastError () returned 0x0 [0228.854] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x19a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.855] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0228.855] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1aa5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.855] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaeb9db21, dwHighDateTime=0x1d5fd73)) [0228.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0228.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0228.855] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0228.855] GetProcessHeap () returned 0xa10000 [0228.855] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x18a5) returned 0xa3b688 [0228.855] GetSystemDefaultLangID () returned 0xa20409 [0228.855] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.855] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x18a5, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x18a5, lpOverlapped=0x0) returned 1 [0228.857] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.857] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x18a5, lpOverlapped=0x0) returned 1 [0228.857] GetProcessHeap () returned 0xa10000 [0228.857] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0228.857] CloseHandle (hObject=0x264) returned 1 [0228.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0228.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0228.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0228.859] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0228.859] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.nefilim")) returned 1 [0228.863] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0228.863] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0228.863] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0228.863] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0228.863] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0228.864] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0228.864] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0228.864] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0228.864] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0228.864] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0228.865] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0228.866] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=60816) returned 1 [0228.866] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0228.866] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0228.866] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0228.866] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0228.866] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0228.866] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0228.866] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0228.866] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0228.867] GetTickCount () returned 0x1179a7d [0228.867] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0228.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0228.867] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xed90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.867] SetLastError (dwErrCode=0x0) [0228.867] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.017] GetLastError () returned 0x0 [0229.017] GetLastError () returned 0x0 [0229.017] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xee90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.017] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.017] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.017] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaed24e49, dwHighDateTime=0x1d5fd73)) [0229.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.017] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.017] GetProcessHeap () returned 0xa10000 [0229.017] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xed90) returned 0xa3b688 [0229.017] GetSystemDefaultLangID () returned 0xa20409 [0229.017] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.017] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xed90, lpOverlapped=0x0) returned 1 [0229.022] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.022] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xed90, lpOverlapped=0x0) returned 1 [0229.023] GetProcessHeap () returned 0xa10000 [0229.023] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.023] CloseHandle (hObject=0x264) returned 1 [0229.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.028] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.nefilim")) returned 1 [0229.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.028] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.029] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.029] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.029] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.029] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.029] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.029] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.029] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.029] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.030] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.030] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.030] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.030] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.030] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.030] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0229.030] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.030] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.030] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.030] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1029", cAlternateFileName="")) returned 1 [0229.030] lstrcmpiW (lpString1="1029", lpString2=".") returned 1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="..") returned 1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="...") returned 1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="windows") returned -1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="$RECYCLE.BIN") returned 1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="rsa") returned -1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="NTDETECT.COM") returned -1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="ntldr") returned -1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="MSDOS.SYS") returned -1 [0229.030] lstrcmpiW (lpString1="1029", lpString2="IO.SYS") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="boot.ini") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="AUTOEXEC.BAT") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="ntuser.dat") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="desktop.ini") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="CONFIG.SYS") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="RECYCLER") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="BOOTSECT.BAK") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="bootmgr") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="programdata") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="appdata") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="program files") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="program files (x86)") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="microsoft") returned -1 [0229.031] lstrcmpiW (lpString1="1029", lpString2="sophos") returned -1 [0229.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.031] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f360 [0229.032] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.032] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.032] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.032] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.032] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.032] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.032] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.033] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.033] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.033] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.033] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.033] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.034] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.034] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.034] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.035] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3726) returned 1 [0229.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.035] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.035] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.035] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.036] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.038] GetTickCount () returned 0x1179b29 [0229.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.038] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.038] SetLastError (dwErrCode=0x0) [0229.038] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.040] GetLastError () returned 0x0 [0229.040] GetLastError () returned 0x0 [0229.040] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.040] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.040] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x108e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.040] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaed67692, dwHighDateTime=0x1d5fd73)) [0229.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.041] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.041] GetProcessHeap () returned 0xa10000 [0229.041] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe8e) returned 0xa3b688 [0229.041] GetSystemDefaultLangID () returned 0xa20409 [0229.041] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.041] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xe8e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xe8e, lpOverlapped=0x0) returned 1 [0229.041] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.041] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xe8e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xe8e, lpOverlapped=0x0) returned 1 [0229.041] GetProcessHeap () returned 0xa10000 [0229.041] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.042] CloseHandle (hObject=0x264) returned 1 [0229.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.043] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.043] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.nefilim")) returned 1 [0229.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.046] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.046] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.047] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.047] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.047] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.047] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.047] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.047] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.047] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.047] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.047] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.048] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=80970) returned 1 [0229.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.048] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.048] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.048] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.048] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.049] GetTickCount () returned 0x1179b29 [0229.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.049] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13c4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.049] SetLastError (dwErrCode=0x0) [0229.049] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.148] GetLastError () returned 0x0 [0229.148] GetLastError () returned 0x0 [0229.148] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13d4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.148] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.148] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13e4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.148] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaee7385b, dwHighDateTime=0x1d5fd73)) [0229.148] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.148] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.149] GetProcessHeap () returned 0xa10000 [0229.149] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x13c4a) returned 0xa3b688 [0229.149] GetSystemDefaultLangID () returned 0xa20409 [0229.149] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.149] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x13c4a, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x13c4a, lpOverlapped=0x0) returned 1 [0229.155] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.155] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x13c4a, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x13c4a, lpOverlapped=0x0) returned 1 [0229.155] GetProcessHeap () returned 0xa10000 [0229.155] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.155] CloseHandle (hObject=0x264) returned 1 [0229.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.158] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.nefilim")) returned 1 [0229.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.159] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.159] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.160] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.160] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.160] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.160] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.160] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.160] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.160] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.160] FindClose (in: hFindFile=0xa2f360 | out: hFindFile=0xa2f360) returned 1 [0229.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.160] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1030", cAlternateFileName="")) returned 1 [0229.160] lstrcmpiW (lpString1="1030", lpString2=".") returned 1 [0229.160] lstrcmpiW (lpString1="1030", lpString2="..") returned 1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="...") returned 1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="windows") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="$RECYCLE.BIN") returned 1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="rsa") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="NTDETECT.COM") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="ntldr") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="MSDOS.SYS") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="IO.SYS") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="boot.ini") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="AUTOEXEC.BAT") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="ntuser.dat") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="desktop.ini") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="CONFIG.SYS") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="RECYCLER") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="BOOTSECT.BAK") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="bootmgr") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="programdata") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="appdata") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="program files") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="program files (x86)") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="microsoft") returned -1 [0229.161] lstrcmpiW (lpString1="1030", lpString2="sophos") returned -1 [0229.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.162] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0229.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.163] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.163] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.163] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.164] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.164] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.164] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.164] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.165] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.165] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.165] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.165] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.165] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.165] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.165] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.165] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3314) returned 1 [0229.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.165] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.165] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.165] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.167] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.168] GetTickCount () returned 0x1179ba6 [0229.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.168] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xcf2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.168] SetLastError (dwErrCode=0x0) [0229.168] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.170] GetLastError () returned 0x0 [0229.170] GetLastError () returned 0x0 [0229.171] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdf2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.171] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.171] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.171] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaee98bc8, dwHighDateTime=0x1d5fd73)) [0229.171] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.171] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.171] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.171] GetProcessHeap () returned 0xa10000 [0229.171] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xcf2) returned 0xa3b688 [0229.171] GetSystemDefaultLangID () returned 0xa20409 [0229.171] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.171] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xcf2, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xcf2, lpOverlapped=0x0) returned 1 [0229.171] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.172] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xcf2, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xcf2, lpOverlapped=0x0) returned 1 [0229.172] GetProcessHeap () returned 0xa10000 [0229.172] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.172] CloseHandle (hObject=0x264) returned 1 [0229.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.173] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.nefilim")) returned 1 [0229.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.176] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.176] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.176] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.176] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.176] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.176] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.176] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.177] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.177] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.177] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.177] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.177] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.177] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.177] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.177] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.177] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.178] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.178] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.178] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.178] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=77748) returned 1 [0229.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.178] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.178] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.179] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.179] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.179] GetTickCount () returned 0x1179bb6 [0229.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.179] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12fb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.180] SetLastError (dwErrCode=0x0) [0229.180] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.182] GetLastError () returned 0x0 [0229.182] GetLastError () returned 0x0 [0229.182] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x130b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.182] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.182] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x131b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.182] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaeebeca0, dwHighDateTime=0x1d5fd73)) [0229.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.182] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.182] GetProcessHeap () returned 0xa10000 [0229.182] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12fb4) returned 0xa3b688 [0229.183] GetSystemDefaultLangID () returned 0xa20409 [0229.183] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.183] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x12fb4, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x12fb4, lpOverlapped=0x0) returned 1 [0229.233] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.233] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x12fb4, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x12fb4, lpOverlapped=0x0) returned 1 [0229.234] GetProcessHeap () returned 0xa10000 [0229.234] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.234] CloseHandle (hObject=0x264) returned 1 [0229.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.240] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.nefilim")) returned 1 [0229.241] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.241] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.241] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.241] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.242] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.242] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.242] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.242] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.242] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.242] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0229.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.243] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1031", cAlternateFileName="")) returned 1 [0229.243] lstrcmpiW (lpString1="1031", lpString2=".") returned 1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="..") returned 1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="...") returned 1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="windows") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="$RECYCLE.BIN") returned 1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="rsa") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="NTDETECT.COM") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="ntldr") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="MSDOS.SYS") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="IO.SYS") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="boot.ini") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="AUTOEXEC.BAT") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="ntuser.dat") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="desktop.ini") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="CONFIG.SYS") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="RECYCLER") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="BOOTSECT.BAK") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="bootmgr") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="programdata") returned -1 [0229.243] lstrcmpiW (lpString1="1031", lpString2="appdata") returned -1 [0229.244] lstrcmpiW (lpString1="1031", lpString2="program files") returned -1 [0229.244] lstrcmpiW (lpString1="1031", lpString2="program files (x86)") returned -1 [0229.244] lstrcmpiW (lpString1="1031", lpString2="microsoft") returned -1 [0229.244] lstrcmpiW (lpString1="1031", lpString2="sophos") returned -1 [0229.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.244] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.244] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0229.245] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.245] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.245] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.245] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.245] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.245] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.246] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.246] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.246] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.246] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.246] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.247] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.247] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.247] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.247] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3419) returned 1 [0229.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.247] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.247] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.247] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.249] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.250] GetTickCount () returned 0x1179bf4 [0229.250] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.250] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.250] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.250] SetLastError (dwErrCode=0x0) [0229.250] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.252] GetLastError () returned 0x0 [0229.252] GetLastError () returned 0x0 [0229.252] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.252] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.252] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.253] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaef57f39, dwHighDateTime=0x1d5fd73)) [0229.253] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.253] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.253] GetProcessHeap () returned 0xa10000 [0229.253] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd5b) returned 0xa3b688 [0229.253] GetSystemDefaultLangID () returned 0xa20409 [0229.253] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.253] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xd5b, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xd5b, lpOverlapped=0x0) returned 1 [0229.253] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.253] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xd5b, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xd5b, lpOverlapped=0x0) returned 1 [0229.253] GetProcessHeap () returned 0xa10000 [0229.253] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.253] CloseHandle (hObject=0x264) returned 1 [0229.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.255] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.nefilim")) returned 1 [0229.257] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.257] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.258] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.258] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.258] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.259] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.259] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.259] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.259] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.259] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.260] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=82346) returned 1 [0229.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.260] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.260] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.260] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.260] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.261] GetTickCount () returned 0x1179c04 [0229.261] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.261] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.261] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x141aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.261] SetLastError (dwErrCode=0x0) [0229.261] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.304] GetLastError () returned 0x0 [0229.304] GetLastError () returned 0x0 [0229.304] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x142aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.304] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.304] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x143aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.304] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaeff000f, dwHighDateTime=0x1d5fd73)) [0229.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.304] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.304] GetProcessHeap () returned 0xa10000 [0229.304] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x141aa) returned 0xa3b688 [0229.305] GetSystemDefaultLangID () returned 0xa20409 [0229.305] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.305] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x141aa, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x141aa, lpOverlapped=0x0) returned 1 [0229.311] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.311] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x141aa, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x141aa, lpOverlapped=0x0) returned 1 [0229.312] GetProcessHeap () returned 0xa10000 [0229.312] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.312] CloseHandle (hObject=0x264) returned 1 [0229.320] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.320] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.320] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.320] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.320] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.nefilim")) returned 1 [0229.321] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.321] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.321] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.322] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.323] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.323] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.323] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.323] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.323] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.323] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.324] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0229.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.324] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1032", cAlternateFileName="")) returned 1 [0229.324] lstrcmpiW (lpString1="1032", lpString2=".") returned 1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="..") returned 1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="...") returned 1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="windows") returned -1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="$RECYCLE.BIN") returned 1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="rsa") returned -1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="NTDETECT.COM") returned -1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="ntldr") returned -1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="MSDOS.SYS") returned -1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="IO.SYS") returned -1 [0229.324] lstrcmpiW (lpString1="1032", lpString2="boot.ini") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="AUTOEXEC.BAT") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="ntuser.dat") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="desktop.ini") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="CONFIG.SYS") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="RECYCLER") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="BOOTSECT.BAK") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="bootmgr") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="programdata") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="appdata") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="program files") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="program files (x86)") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="microsoft") returned -1 [0229.325] lstrcmpiW (lpString1="1032", lpString2="sophos") returned -1 [0229.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.325] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0229.328] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.328] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.328] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.328] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.328] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.328] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.329] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.330] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.330] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.330] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.330] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.330] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.330] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.331] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.331] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.331] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.331] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.331] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.331] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.331] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.331] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.331] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.332] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=8876) returned 1 [0229.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.333] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.333] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.333] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.335] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.336] GetTickCount () returned 0x1179c52 [0229.336] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.336] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.336] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x22ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.337] SetLastError (dwErrCode=0x0) [0229.337] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.492] GetLastError () returned 0x0 [0229.492] GetLastError () returned 0x0 [0229.492] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x23ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.492] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.493] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x24ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.493] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf1b9ccc, dwHighDateTime=0x1d5fd73)) [0229.493] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.493] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.493] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.493] GetProcessHeap () returned 0xa10000 [0229.493] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x22ac) returned 0xa3b688 [0229.493] GetSystemDefaultLangID () returned 0xa20409 [0229.493] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.493] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x22ac, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x22ac, lpOverlapped=0x0) returned 1 [0229.494] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.494] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x22ac, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x22ac, lpOverlapped=0x0) returned 1 [0229.495] GetProcessHeap () returned 0xa10000 [0229.495] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.495] CloseHandle (hObject=0x264) returned 1 [0229.503] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.503] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.503] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.503] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.503] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.504] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.nefilim")) returned 1 [0229.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.506] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.506] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.507] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.507] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.507] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.507] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.507] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.507] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.507] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.507] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.507] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.508] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.508] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.508] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.508] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=86284) returned 1 [0229.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.508] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.508] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.508] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.509] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.509] GetTickCount () returned 0x1179cfe [0229.509] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.509] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1510c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.509] SetLastError (dwErrCode=0x0) [0229.509] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.511] GetLastError () returned 0x0 [0229.511] GetLastError () returned 0x0 [0229.511] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1520c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.511] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.511] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1530c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.511] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf1dfcb4, dwHighDateTime=0x1d5fd73)) [0229.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.511] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.512] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.512] GetProcessHeap () returned 0xa10000 [0229.512] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1510c) returned 0xa3b688 [0229.512] GetSystemDefaultLangID () returned 0xa20409 [0229.512] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.512] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1510c, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x1510c, lpOverlapped=0x0) returned 1 [0229.518] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.518] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1510c, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x1510c, lpOverlapped=0x0) returned 1 [0229.518] GetProcessHeap () returned 0xa10000 [0229.518] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.518] CloseHandle (hObject=0x264) returned 1 [0229.521] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.521] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.522] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.522] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.nefilim")) returned 1 [0229.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.523] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.523] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.524] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.524] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.524] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.524] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.524] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.524] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.524] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.524] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.524] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.524] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.524] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0229.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.525] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.525] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1033", cAlternateFileName="")) returned 1 [0229.525] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="rsa") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="NTDETECT.COM") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="ntldr") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="MSDOS.SYS") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="IO.SYS") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="boot.ini") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="AUTOEXEC.BAT") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="ntuser.dat") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="desktop.ini") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="CONFIG.SYS") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="RECYCLER") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="BOOTSECT.BAK") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="programdata") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="program files") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="program files (x86)") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="microsoft") returned -1 [0229.525] lstrcmpiW (lpString1="1033", lpString2="sophos") returned -1 [0229.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.526] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.526] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0229.527] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.527] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.527] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.527] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.527] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.527] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.528] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.528] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.528] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.528] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.529] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.529] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.529] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.529] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.529] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.529] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.529] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3188) returned 1 [0229.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.529] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.529] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.529] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.531] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.532] GetTickCount () returned 0x1179d0e [0229.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.532] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.532] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xc74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.532] SetLastError (dwErrCode=0x0) [0229.532] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.569] GetLastError () returned 0x0 [0229.569] GetLastError () returned 0x0 [0229.569] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.569] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.569] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.569] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf2787f2, dwHighDateTime=0x1d5fd73)) [0229.569] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.569] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.569] GetProcessHeap () returned 0xa10000 [0229.569] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xc74) returned 0xa3b688 [0229.569] GetSystemDefaultLangID () returned 0xa20409 [0229.569] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.570] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xc74, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xc74, lpOverlapped=0x0) returned 1 [0229.570] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.570] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xc74, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xc74, lpOverlapped=0x0) returned 1 [0229.570] GetProcessHeap () returned 0xa10000 [0229.570] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.570] CloseHandle (hObject=0x264) returned 1 [0229.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.571] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.nefilim")) returned 1 [0229.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.574] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.574] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.574] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.574] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.575] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.575] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.575] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.575] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.576] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=77232) returned 1 [0229.576] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.576] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.576] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.576] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.576] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.576] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.576] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.577] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.577] GetTickCount () returned 0x1179d3c [0229.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.577] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.577] SetLastError (dwErrCode=0x0) [0229.577] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.580] GetLastError () returned 0x0 [0229.580] GetLastError () returned 0x0 [0229.580] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.580] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.580] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.580] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf2787f2, dwHighDateTime=0x1d5fd73)) [0229.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.580] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.580] GetProcessHeap () returned 0xa10000 [0229.580] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12db0) returned 0xa3b688 [0229.580] GetSystemDefaultLangID () returned 0xa20409 [0229.581] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.581] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x12db0, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x12db0, lpOverlapped=0x0) returned 1 [0229.587] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.587] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x12db0, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x12db0, lpOverlapped=0x0) returned 1 [0229.587] GetProcessHeap () returned 0xa10000 [0229.588] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.588] CloseHandle (hObject=0x264) returned 1 [0229.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.592] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.nefilim")) returned 1 [0229.604] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.604] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.605] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.605] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.606] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.606] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.606] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.606] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.606] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.606] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0229.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.607] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1035", cAlternateFileName="")) returned 1 [0229.607] lstrcmpiW (lpString1="1035", lpString2=".") returned 1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="..") returned 1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="...") returned 1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="windows") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="$RECYCLE.BIN") returned 1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="rsa") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="NTDETECT.COM") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="ntldr") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="MSDOS.SYS") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="IO.SYS") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="boot.ini") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="AUTOEXEC.BAT") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="ntuser.dat") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="desktop.ini") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="CONFIG.SYS") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="RECYCLER") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="BOOTSECT.BAK") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="bootmgr") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="programdata") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="appdata") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="program files") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="program files (x86)") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="microsoft") returned -1 [0229.607] lstrcmpiW (lpString1="1035", lpString2="sophos") returned -1 [0229.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.608] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.608] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.608] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0229.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.608] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.608] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.608] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.609] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.609] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.609] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.609] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.610] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3702) returned 1 [0229.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.610] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.610] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.610] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.611] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.612] GetTickCount () returned 0x1179d5c [0229.612] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.612] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.612] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.612] SetLastError (dwErrCode=0x0) [0229.612] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.649] GetLastError () returned 0x0 [0229.649] GetLastError () returned 0x0 [0229.649] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.649] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.649] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1076, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.649] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf337430, dwHighDateTime=0x1d5fd73)) [0229.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.649] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.649] GetProcessHeap () returned 0xa10000 [0229.649] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe76) returned 0xa3b688 [0229.649] GetSystemDefaultLangID () returned 0xa20409 [0229.649] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.649] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xe76, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xe76, lpOverlapped=0x0) returned 1 [0229.650] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.650] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xe76, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xe76, lpOverlapped=0x0) returned 1 [0229.650] GetProcessHeap () returned 0xa10000 [0229.650] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.650] CloseHandle (hObject=0x264) returned 1 [0229.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.651] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.nefilim")) returned 1 [0229.654] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.654] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.654] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.655] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.655] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.655] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.655] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.656] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.656] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.656] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.656] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=77022) returned 1 [0229.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.656] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.656] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.657] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.657] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.657] GetTickCount () returned 0x1179d8b [0229.657] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.657] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.657] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12cde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.657] SetLastError (dwErrCode=0x0) [0229.657] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.659] GetLastError () returned 0x0 [0229.659] GetLastError () returned 0x0 [0229.659] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12dde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.659] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.659] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.659] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf337430, dwHighDateTime=0x1d5fd73)) [0229.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.659] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.659] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.659] GetProcessHeap () returned 0xa10000 [0229.659] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12cde) returned 0xa3b688 [0229.660] GetSystemDefaultLangID () returned 0xa20409 [0229.660] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.660] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x12cde, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x12cde, lpOverlapped=0x0) returned 1 [0229.665] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.665] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x12cde, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x12cde, lpOverlapped=0x0) returned 1 [0229.666] GetProcessHeap () returned 0xa10000 [0229.666] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.666] CloseHandle (hObject=0x264) returned 1 [0229.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.671] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.nefilim")) returned 1 [0229.672] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.672] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.672] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.674] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.674] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.674] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.674] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.675] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.675] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.675] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.675] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.675] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.675] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.675] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.675] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0229.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.675] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1036", cAlternateFileName="")) returned 1 [0229.675] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="rsa") returned -1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="NTDETECT.COM") returned -1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="ntldr") returned -1 [0229.675] lstrcmpiW (lpString1="1036", lpString2="MSDOS.SYS") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="IO.SYS") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="boot.ini") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="AUTOEXEC.BAT") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="ntuser.dat") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="desktop.ini") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="CONFIG.SYS") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="RECYCLER") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="BOOTSECT.BAK") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="bootmgr") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="programdata") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="appdata") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="program files") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="program files (x86)") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="microsoft") returned -1 [0229.676] lstrcmpiW (lpString1="1036", lpString2="sophos") returned -1 [0229.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.676] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0229.677] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.677] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.677] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.677] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.677] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.678] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.678] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.679] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.679] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.679] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.679] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.679] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.680] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3526) returned 1 [0229.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.680] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.680] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.680] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.681] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.682] GetTickCount () returned 0x1179daa [0229.682] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.682] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.682] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.683] SetLastError (dwErrCode=0x0) [0229.683] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.731] GetLastError () returned 0x0 [0229.731] GetLastError () returned 0x0 [0229.731] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xec6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.731] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.732] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.732] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf3f6007, dwHighDateTime=0x1d5fd73)) [0229.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.732] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.732] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.732] GetProcessHeap () returned 0xa10000 [0229.732] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xdc6) returned 0xa3b688 [0229.732] GetSystemDefaultLangID () returned 0xa20409 [0229.732] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.732] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xdc6, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xdc6, lpOverlapped=0x0) returned 1 [0229.732] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.732] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xdc6, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xdc6, lpOverlapped=0x0) returned 1 [0229.733] GetProcessHeap () returned 0xa10000 [0229.733] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.733] CloseHandle (hObject=0x264) returned 1 [0229.734] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.734] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.734] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.734] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.734] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.734] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.nefilim")) returned 1 [0229.737] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.737] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.737] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.737] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.738] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.738] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.738] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.738] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.738] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.738] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.738] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.738] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.738] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.738] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.738] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.739] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.739] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=82962) returned 1 [0229.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.739] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.739] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.739] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.740] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.740] GetTickCount () returned 0x1179de8 [0229.740] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.740] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x14412, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.740] SetLastError (dwErrCode=0x0) [0229.740] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.742] GetLastError () returned 0x0 [0229.742] GetLastError () returned 0x0 [0229.742] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x14512, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.742] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.743] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x14612, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.743] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf41c24f, dwHighDateTime=0x1d5fd73)) [0229.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.743] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.743] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.743] GetProcessHeap () returned 0xa10000 [0229.743] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14412) returned 0xa3b688 [0229.743] GetSystemDefaultLangID () returned 0xa20409 [0229.743] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.743] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x14412, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x14412, lpOverlapped=0x0) returned 1 [0229.749] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.749] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x14412, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x14412, lpOverlapped=0x0) returned 1 [0229.749] GetProcessHeap () returned 0xa10000 [0229.749] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.750] CloseHandle (hObject=0x264) returned 1 [0229.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.756] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.756] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.nefilim")) returned 1 [0229.757] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.757] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.757] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.758] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.758] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.758] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.758] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.758] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.758] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0229.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.759] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1037", cAlternateFileName="")) returned 1 [0229.759] lstrcmpiW (lpString1="1037", lpString2=".") returned 1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="..") returned 1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="...") returned 1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="windows") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="$RECYCLE.BIN") returned 1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="rsa") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="NTDETECT.COM") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="ntldr") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="MSDOS.SYS") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="IO.SYS") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="boot.ini") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="AUTOEXEC.BAT") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="ntuser.dat") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="desktop.ini") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="CONFIG.SYS") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="RECYCLER") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="BOOTSECT.BAK") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="bootmgr") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="programdata") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="appdata") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="program files") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="program files (x86)") returned -1 [0229.759] lstrcmpiW (lpString1="1037", lpString2="microsoft") returned -1 [0229.760] lstrcmpiW (lpString1="1037", lpString2="sophos") returned -1 [0229.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.760] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0229.760] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.760] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.760] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.760] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.760] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.760] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.761] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.761] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.761] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.761] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.762] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.762] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.762] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.762] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=6851) returned 1 [0229.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.762] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.762] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.762] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.764] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.764] GetTickCount () returned 0x1179df8 [0229.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.765] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.765] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1ac3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.765] SetLastError (dwErrCode=0x0) [0229.765] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.807] GetLastError () returned 0x0 [0229.807] GetLastError () returned 0x0 [0229.807] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1bc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.807] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.807] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1cc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.807] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf4b4b0a, dwHighDateTime=0x1d5fd73)) [0229.807] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.807] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.807] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.807] GetProcessHeap () returned 0xa10000 [0229.807] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1ac3) returned 0xa3b688 [0229.807] GetSystemDefaultLangID () returned 0xa20409 [0229.808] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.808] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1ac3, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x1ac3, lpOverlapped=0x0) returned 1 [0229.809] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.809] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1ac3, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x1ac3, lpOverlapped=0x0) returned 1 [0229.809] GetProcessHeap () returned 0xa10000 [0229.809] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.809] CloseHandle (hObject=0x264) returned 1 [0229.811] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.811] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.811] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.811] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.811] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.811] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.nefilim")) returned 1 [0229.814] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.814] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.814] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.814] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.815] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.815] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.815] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.815] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.815] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.815] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.815] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.815] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.815] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.815] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.815] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.816] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=72076) returned 1 [0229.816] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.816] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.816] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.816] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.816] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.816] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.816] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.817] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.817] GetTickCount () returned 0x1179e27 [0229.817] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.817] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.817] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1198c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.817] SetLastError (dwErrCode=0x0) [0229.817] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.819] GetLastError () returned 0x0 [0229.819] GetLastError () returned 0x0 [0229.819] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11a8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.819] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.819] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11b8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.819] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf4dac0a, dwHighDateTime=0x1d5fd73)) [0229.820] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.820] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.820] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.820] GetProcessHeap () returned 0xa10000 [0229.820] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1198c) returned 0xa3b688 [0229.820] GetSystemDefaultLangID () returned 0xa20409 [0229.820] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.820] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1198c, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x1198c, lpOverlapped=0x0) returned 1 [0229.825] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.825] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1198c, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x1198c, lpOverlapped=0x0) returned 1 [0229.826] GetProcessHeap () returned 0xa10000 [0229.826] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.826] CloseHandle (hObject=0x264) returned 1 [0229.828] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.828] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.828] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.828] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.828] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.828] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.nefilim")) returned 1 [0229.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.829] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.830] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.830] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.830] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.830] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.830] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.830] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0229.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.831] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1038", cAlternateFileName="")) returned 1 [0229.831] lstrcmpiW (lpString1="1038", lpString2=".") returned 1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="..") returned 1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="...") returned 1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="windows") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="$RECYCLE.BIN") returned 1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="rsa") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="NTDETECT.COM") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="ntldr") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="MSDOS.SYS") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="IO.SYS") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="boot.ini") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="AUTOEXEC.BAT") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="ntuser.dat") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="desktop.ini") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="CONFIG.SYS") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="RECYCLER") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="BOOTSECT.BAK") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="bootmgr") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="programdata") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="appdata") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="program files") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="program files (x86)") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="microsoft") returned -1 [0229.831] lstrcmpiW (lpString1="1038", lpString2="sophos") returned -1 [0229.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.832] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.832] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.832] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.832] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0229.832] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.832] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.832] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.832] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.833] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.833] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.833] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.834] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.834] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.834] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=4254) returned 1 [0229.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.834] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.834] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.834] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.835] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.836] GetTickCount () returned 0x1179e46 [0229.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.836] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.836] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x109e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.836] SetLastError (dwErrCode=0x0) [0229.836] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.839] GetLastError () returned 0x0 [0229.839] GetLastError () returned 0x0 [0229.839] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x119e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.839] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.839] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x129e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.839] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf501119, dwHighDateTime=0x1d5fd73)) [0229.839] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.839] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.839] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.839] GetProcessHeap () returned 0xa10000 [0229.839] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x109e) returned 0xa3b688 [0229.839] GetSystemDefaultLangID () returned 0xa20409 [0229.839] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.839] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x109e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x109e, lpOverlapped=0x0) returned 1 [0229.841] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.841] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x109e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x109e, lpOverlapped=0x0) returned 1 [0229.841] GetProcessHeap () returned 0xa10000 [0229.841] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.841] CloseHandle (hObject=0x264) returned 1 [0229.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.843] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.843] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.nefilim")) returned 1 [0229.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.883] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.883] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.883] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.883] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.883] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.884] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.884] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.884] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=86442) returned 1 [0229.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.884] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.884] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.885] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.885] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.885] GetTickCount () returned 0x1179e75 [0229.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.885] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x151aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.885] SetLastError (dwErrCode=0x0) [0229.885] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.887] GetLastError () returned 0x0 [0229.887] GetLastError () returned 0x0 [0229.887] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x152aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.887] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.887] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x153aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.887] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf573735, dwHighDateTime=0x1d5fd73)) [0229.887] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.887] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.888] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.888] GetProcessHeap () returned 0xa10000 [0229.888] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x151aa) returned 0xa3b688 [0229.888] GetSystemDefaultLangID () returned 0xa20409 [0229.888] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.888] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x151aa, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x151aa, lpOverlapped=0x0) returned 1 [0229.894] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.894] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x151aa, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x151aa, lpOverlapped=0x0) returned 1 [0229.895] GetProcessHeap () returned 0xa10000 [0229.895] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.895] CloseHandle (hObject=0x264) returned 1 [0229.899] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.899] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.899] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.899] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.899] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.nefilim")) returned 1 [0229.900] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.900] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.900] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.900] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.901] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.901] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.901] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.901] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.901] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.901] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.901] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0229.901] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.901] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.901] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.901] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1040", cAlternateFileName="")) returned 1 [0229.901] lstrcmpiW (lpString1="1040", lpString2=".") returned 1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="..") returned 1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="...") returned 1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="windows") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="$RECYCLE.BIN") returned 1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="rsa") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="NTDETECT.COM") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="ntldr") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="MSDOS.SYS") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="IO.SYS") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="boot.ini") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="AUTOEXEC.BAT") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="ntuser.dat") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="desktop.ini") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="CONFIG.SYS") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="RECYCLER") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="BOOTSECT.BAK") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="bootmgr") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="programdata") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="appdata") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="program files") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="program files (x86)") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="microsoft") returned -1 [0229.902] lstrcmpiW (lpString1="1040", lpString2="sophos") returned -1 [0229.902] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.902] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.902] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.902] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.902] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.902] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0229.904] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.904] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.904] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.904] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.904] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.904] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.904] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.904] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.905] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.905] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.905] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.905] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.905] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.906] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.906] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.906] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.906] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.907] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3643) returned 1 [0229.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.907] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.907] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.907] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.908] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.910] GetTickCount () returned 0x1179e85 [0229.910] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0229.910] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.910] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.910] SetLastError (dwErrCode=0x0) [0229.910] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.912] GetLastError () returned 0x0 [0229.912] GetLastError () returned 0x0 [0229.912] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.912] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.912] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x103b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.912] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf5bfb12, dwHighDateTime=0x1d5fd73)) [0229.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.913] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.913] GetProcessHeap () returned 0xa10000 [0229.913] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe3b) returned 0xa3b688 [0229.913] GetSystemDefaultLangID () returned 0xa20409 [0229.913] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.913] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xe3b, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xe3b, lpOverlapped=0x0) returned 1 [0229.913] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.913] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xe3b, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xe3b, lpOverlapped=0x0) returned 1 [0229.913] GetProcessHeap () returned 0xa10000 [0229.913] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.913] CloseHandle (hObject=0x264) returned 1 [0229.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0229.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0229.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0229.914] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.nefilim")) returned 1 [0229.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.916] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0229.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0229.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0229.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0229.917] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0229.917] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0229.917] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0229.917] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0229.917] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0229.918] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0229.918] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.918] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.918] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=80060) returned 1 [0229.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0229.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0229.918] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0229.918] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0229.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.918] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.919] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0229.919] GetTickCount () returned 0x1179e94 [0229.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0229.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0229.919] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x138bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.919] SetLastError (dwErrCode=0x0) [0229.919] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.960] GetLastError () returned 0x0 [0229.960] GetLastError () returned 0x0 [0229.960] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x139bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.960] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0229.960] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13abc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.960] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf6322ef, dwHighDateTime=0x1d5fd73)) [0229.960] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0229.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0229.961] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0229.961] GetProcessHeap () returned 0xa10000 [0229.961] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x138bc) returned 0xa3b688 [0229.961] GetSystemDefaultLangID () returned 0xa20409 [0229.961] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.961] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x138bc, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x138bc, lpOverlapped=0x0) returned 1 [0229.967] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0229.967] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x138bc, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x138bc, lpOverlapped=0x0) returned 1 [0229.967] GetProcessHeap () returned 0xa10000 [0229.967] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0229.967] CloseHandle (hObject=0x264) returned 1 [0229.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0229.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0229.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0229.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0229.972] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.nefilim")) returned 1 [0229.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0229.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.972] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0229.973] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0229.974] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0229.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0229.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0229.974] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0229.974] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0229.974] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0229.974] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0229.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0229.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0229.974] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1041", cAlternateFileName="")) returned 1 [0229.974] lstrcmpiW (lpString1="1041", lpString2=".") returned 1 [0229.974] lstrcmpiW (lpString1="1041", lpString2="..") returned 1 [0229.974] lstrcmpiW (lpString1="1041", lpString2="...") returned 1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="windows") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="$RECYCLE.BIN") returned 1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="rsa") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="NTDETECT.COM") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="ntldr") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="MSDOS.SYS") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="IO.SYS") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="boot.ini") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="AUTOEXEC.BAT") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="ntuser.dat") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="desktop.ini") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="CONFIG.SYS") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="RECYCLER") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="BOOTSECT.BAK") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="bootmgr") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="programdata") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="appdata") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="program files") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="program files (x86)") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="microsoft") returned -1 [0229.975] lstrcmpiW (lpString1="1041", lpString2="sophos") returned -1 [0229.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0229.975] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0229.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0229.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0229.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0229.976] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0229.976] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0229.976] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.976] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0229.976] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0229.976] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0229.976] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0229.977] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0229.977] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0229.977] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0229.977] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0229.977] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0229.978] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0229.978] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0229.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0229.978] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0229.978] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=10125) returned 1 [0229.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0229.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0229.978] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0229.978] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0229.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0229.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0229.979] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0229.980] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.039] GetTickCount () returned 0x1179f11 [0230.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.039] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x278d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.039] SetLastError (dwErrCode=0x0) [0230.039] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.041] GetLastError () returned 0x0 [0230.041] GetLastError () returned 0x0 [0230.041] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x288d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.041] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.042] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x298d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.042] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf6f0e54, dwHighDateTime=0x1d5fd73)) [0230.042] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.042] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.042] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.042] GetProcessHeap () returned 0xa10000 [0230.042] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x278d) returned 0xa3b688 [0230.042] GetSystemDefaultLangID () returned 0xa20409 [0230.042] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.042] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x278d, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x278d, lpOverlapped=0x0) returned 1 [0230.046] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.046] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x278d, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x278d, lpOverlapped=0x0) returned 1 [0230.046] GetProcessHeap () returned 0xa10000 [0230.046] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.046] CloseHandle (hObject=0x264) returned 1 [0230.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.051] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.nefilim")) returned 1 [0230.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.054] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.054] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.054] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.055] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.055] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.055] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.055] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.055] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.056] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.056] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.056] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.056] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=68226) returned 1 [0230.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.057] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.057] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.057] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.057] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.057] GetTickCount () returned 0x1179f21 [0230.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.058] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10a82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.058] SetLastError (dwErrCode=0x0) [0230.058] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.060] GetLastError () returned 0x0 [0230.060] GetLastError () returned 0x0 [0230.060] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10b82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.060] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.060] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.060] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf7170aa, dwHighDateTime=0x1d5fd73)) [0230.060] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.060] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.060] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.060] GetProcessHeap () returned 0xa10000 [0230.060] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x10a82) returned 0xa3b688 [0230.060] GetSystemDefaultLangID () returned 0xa20409 [0230.060] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.060] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x10a82, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x10a82, lpOverlapped=0x0) returned 1 [0230.066] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.066] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x10a82, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x10a82, lpOverlapped=0x0) returned 1 [0230.067] GetProcessHeap () returned 0xa10000 [0230.067] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.067] CloseHandle (hObject=0x264) returned 1 [0230.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.072] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.072] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.nefilim")) returned 1 [0230.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.072] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.072] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.072] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.072] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.073] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.073] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.073] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.073] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.073] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.073] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.073] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.074] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.074] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.074] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.074] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.074] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.074] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0230.074] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.074] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.074] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.074] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1042", cAlternateFileName="")) returned 1 [0230.074] lstrcmpiW (lpString1="1042", lpString2=".") returned 1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="..") returned 1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="...") returned 1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="windows") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="$RECYCLE.BIN") returned 1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="rsa") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="NTDETECT.COM") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="ntldr") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="MSDOS.SYS") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="IO.SYS") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="boot.ini") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="AUTOEXEC.BAT") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="ntuser.dat") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="desktop.ini") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="CONFIG.SYS") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="RECYCLER") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="BOOTSECT.BAK") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="bootmgr") returned -1 [0230.074] lstrcmpiW (lpString1="1042", lpString2="programdata") returned -1 [0230.075] lstrcmpiW (lpString1="1042", lpString2="appdata") returned -1 [0230.075] lstrcmpiW (lpString1="1042", lpString2="program files") returned -1 [0230.075] lstrcmpiW (lpString1="1042", lpString2="program files (x86)") returned -1 [0230.075] lstrcmpiW (lpString1="1042", lpString2="microsoft") returned -1 [0230.075] lstrcmpiW (lpString1="1042", lpString2="sophos") returned -1 [0230.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.075] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.075] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0230.075] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.075] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.075] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.075] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.075] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.075] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.075] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.075] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.075] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.076] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.076] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.076] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.076] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.077] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.077] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.077] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.078] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=12687) returned 1 [0230.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.078] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.078] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.078] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.079] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.080] GetTickCount () returned 0x1179f30 [0230.080] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.081] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.081] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x318f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.081] SetLastError (dwErrCode=0x0) [0230.081] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.116] GetLastError () returned 0x0 [0230.116] GetLastError () returned 0x0 [0230.116] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x328f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.116] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.116] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x338f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.117] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf7afa2b, dwHighDateTime=0x1d5fd73)) [0230.117] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.117] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.117] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.117] GetProcessHeap () returned 0xa10000 [0230.117] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x318f) returned 0xa3b688 [0230.117] GetSystemDefaultLangID () returned 0xa20409 [0230.117] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.117] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x318f, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x318f, lpOverlapped=0x0) returned 1 [0230.119] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.119] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x318f, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x318f, lpOverlapped=0x0) returned 1 [0230.119] GetProcessHeap () returned 0xa10000 [0230.119] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.119] CloseHandle (hObject=0x264) returned 1 [0230.123] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.123] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.123] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.123] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.123] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.nefilim")) returned 1 [0230.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.126] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.127] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.128] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.128] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.128] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.128] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.128] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.129] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=65238) returned 1 [0230.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.129] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.129] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.129] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.131] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.131] GetTickCount () returned 0x1179f6f [0230.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.131] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfed6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.131] SetLastError (dwErrCode=0x0) [0230.131] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.134] GetLastError () returned 0x0 [0230.134] GetLastError () returned 0x0 [0230.134] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xffd6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.134] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.134] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x100d6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.134] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf7d5cd0, dwHighDateTime=0x1d5fd73)) [0230.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.134] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.134] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.134] GetProcessHeap () returned 0xa10000 [0230.134] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xfed6) returned 0xa3b688 [0230.134] GetSystemDefaultLangID () returned 0xa20409 [0230.135] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.135] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xfed6, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xfed6, lpOverlapped=0x0) returned 1 [0230.141] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.141] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xfed6, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xfed6, lpOverlapped=0x0) returned 1 [0230.141] GetProcessHeap () returned 0xa10000 [0230.141] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.141] CloseHandle (hObject=0x264) returned 1 [0230.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.148] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.148] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.nefilim")) returned 1 [0230.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.148] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.148] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.148] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.149] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.149] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.149] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.149] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.149] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.149] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.149] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.149] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.150] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.150] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.150] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.150] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.150] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0230.150] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.150] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.150] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.150] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1043", cAlternateFileName="")) returned 1 [0230.150] lstrcmpiW (lpString1="1043", lpString2=".") returned 1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="..") returned 1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="...") returned 1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="windows") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="$RECYCLE.BIN") returned 1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="rsa") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="NTDETECT.COM") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="ntldr") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="MSDOS.SYS") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="IO.SYS") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="boot.ini") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="AUTOEXEC.BAT") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="ntuser.dat") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="desktop.ini") returned -1 [0230.150] lstrcmpiW (lpString1="1043", lpString2="CONFIG.SYS") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="RECYCLER") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="BOOTSECT.BAK") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="bootmgr") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="programdata") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="appdata") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="program files") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="program files (x86)") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="microsoft") returned -1 [0230.151] lstrcmpiW (lpString1="1043", lpString2="sophos") returned -1 [0230.151] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.151] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.151] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.151] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.151] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.151] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0230.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.151] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.151] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.151] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.151] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.151] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.152] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.152] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.152] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.152] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.152] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.152] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.152] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.152] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.152] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.153] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.153] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.153] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.194] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3546) returned 1 [0230.194] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.194] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.194] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.194] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.194] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.195] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.195] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.195] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.196] GetTickCount () returned 0x1179fad [0230.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.197] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.197] SetLastError (dwErrCode=0x0) [0230.197] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.205] GetLastError () returned 0x0 [0230.205] GetLastError () returned 0x0 [0230.205] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xeda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.205] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.205] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.205] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf86e558, dwHighDateTime=0x1d5fd73)) [0230.205] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.206] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.206] GetProcessHeap () returned 0xa10000 [0230.206] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xdda) returned 0xa3b688 [0230.206] GetSystemDefaultLangID () returned 0xa20409 [0230.206] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.206] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xdda, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xdda, lpOverlapped=0x0) returned 1 [0230.206] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.206] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xdda, lpOverlapped=0x0) returned 1 [0230.206] GetProcessHeap () returned 0xa10000 [0230.206] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.206] CloseHandle (hObject=0x264) returned 1 [0230.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.208] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.208] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.nefilim")) returned 1 [0230.210] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.211] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.211] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.211] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.211] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.211] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.212] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.212] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.212] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.212] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.212] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=79634) returned 1 [0230.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.213] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.213] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.213] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.213] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.213] GetTickCount () returned 0x1179fbd [0230.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.213] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13712, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.213] SetLastError (dwErrCode=0x0) [0230.213] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.216] GetLastError () returned 0x0 [0230.216] GetLastError () returned 0x0 [0230.216] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13812, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.216] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.216] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13912, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.216] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf8948fb, dwHighDateTime=0x1d5fd73)) [0230.216] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.216] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.216] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.216] GetProcessHeap () returned 0xa10000 [0230.216] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x13712) returned 0xa3b688 [0230.216] GetSystemDefaultLangID () returned 0xa20409 [0230.216] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.216] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x13712, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x13712, lpOverlapped=0x0) returned 1 [0230.222] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.223] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x13712, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x13712, lpOverlapped=0x0) returned 1 [0230.223] GetProcessHeap () returned 0xa10000 [0230.223] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.223] CloseHandle (hObject=0x264) returned 1 [0230.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.229] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.229] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.nefilim")) returned 1 [0230.230] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.230] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.230] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.230] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.231] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.231] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.231] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.231] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.231] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.231] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0230.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.232] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1044", cAlternateFileName="")) returned 1 [0230.232] lstrcmpiW (lpString1="1044", lpString2=".") returned 1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="..") returned 1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="...") returned 1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="windows") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="$RECYCLE.BIN") returned 1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="rsa") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="NTDETECT.COM") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="ntldr") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="MSDOS.SYS") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="IO.SYS") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="boot.ini") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="AUTOEXEC.BAT") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="ntuser.dat") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="desktop.ini") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="CONFIG.SYS") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="RECYCLER") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="BOOTSECT.BAK") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="bootmgr") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="programdata") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="appdata") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="program files") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="program files (x86)") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="microsoft") returned -1 [0230.232] lstrcmpiW (lpString1="1044", lpString2="sophos") returned -1 [0230.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.233] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.233] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0230.233] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.234] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.234] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.234] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.234] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.234] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.234] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.234] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.234] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.234] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.234] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.235] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.235] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.235] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.235] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.235] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3046) returned 1 [0230.235] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.235] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.235] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.235] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.235] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.235] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.235] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.236] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.237] GetTickCount () returned 0x1179fcd [0230.237] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.237] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xbe6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.237] SetLastError (dwErrCode=0x0) [0230.237] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.301] GetLastError () returned 0x0 [0230.301] GetLastError () returned 0x0 [0230.301] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xce6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.301] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.301] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xde6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.301] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf953437, dwHighDateTime=0x1d5fd73)) [0230.301] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.301] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.301] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.302] GetProcessHeap () returned 0xa10000 [0230.302] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xbe6) returned 0xa3b688 [0230.302] GetSystemDefaultLangID () returned 0xa20409 [0230.302] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.302] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xbe6, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xbe6, lpOverlapped=0x0) returned 1 [0230.302] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.302] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xbe6, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xbe6, lpOverlapped=0x0) returned 1 [0230.302] GetProcessHeap () returned 0xa10000 [0230.302] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.302] CloseHandle (hObject=0x264) returned 1 [0230.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.304] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.nefilim")) returned 1 [0230.306] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.306] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.306] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.306] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.307] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.307] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.307] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.308] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.308] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.308] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.308] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.309] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=79296) returned 1 [0230.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.309] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.309] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.309] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.309] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.310] GetTickCount () returned 0x117a01b [0230.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.310] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x135c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.310] SetLastError (dwErrCode=0x0) [0230.310] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.312] GetLastError () returned 0x0 [0230.312] GetLastError () returned 0x0 [0230.312] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x136c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.312] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.313] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x137c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.313] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaf9796ca, dwHighDateTime=0x1d5fd73)) [0230.313] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.313] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.313] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.313] GetProcessHeap () returned 0xa10000 [0230.313] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x135c0) returned 0xa3b688 [0230.313] GetSystemDefaultLangID () returned 0xa20409 [0230.313] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.313] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x135c0, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x135c0, lpOverlapped=0x0) returned 1 [0230.323] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.323] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x135c0, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x135c0, lpOverlapped=0x0) returned 1 [0230.323] GetProcessHeap () returned 0xa10000 [0230.323] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.323] CloseHandle (hObject=0x264) returned 1 [0230.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.330] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.nefilim")) returned 1 [0230.331] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.331] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.331] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.331] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.331] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.331] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.331] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.332] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.332] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.332] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.332] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.332] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.332] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.332] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.333] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.333] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.333] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.333] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.333] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.333] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0230.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.333] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1045", cAlternateFileName="")) returned 1 [0230.333] lstrcmpiW (lpString1="1045", lpString2=".") returned 1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="..") returned 1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="...") returned 1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="windows") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="$RECYCLE.BIN") returned 1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="rsa") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="NTDETECT.COM") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="ntldr") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="MSDOS.SYS") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="IO.SYS") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="boot.ini") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="AUTOEXEC.BAT") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="ntuser.dat") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="desktop.ini") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="CONFIG.SYS") returned -1 [0230.333] lstrcmpiW (lpString1="1045", lpString2="RECYCLER") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="BOOTSECT.BAK") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="bootmgr") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="programdata") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="appdata") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="program files") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="program files (x86)") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="microsoft") returned -1 [0230.334] lstrcmpiW (lpString1="1045", lpString2="sophos") returned -1 [0230.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.334] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.334] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0230.496] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.496] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.496] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.496] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.496] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.496] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.497] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.497] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.497] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.498] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.498] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.498] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.498] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.498] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=4040) returned 1 [0230.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.499] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.499] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.499] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.500] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.501] GetTickCount () returned 0x117a0d6 [0230.501] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.501] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.501] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.501] SetLastError (dwErrCode=0x0) [0230.501] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.504] GetLastError () returned 0x0 [0230.504] GetLastError () returned 0x0 [0230.504] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.504] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.504] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.504] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafb432f0, dwHighDateTime=0x1d5fd73)) [0230.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.504] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.504] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.505] GetProcessHeap () returned 0xa10000 [0230.505] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xfc8) returned 0xa3b688 [0230.505] GetSystemDefaultLangID () returned 0xa20409 [0230.505] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.505] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xfc8, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xfc8, lpOverlapped=0x0) returned 1 [0230.506] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.506] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xfc8, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xfc8, lpOverlapped=0x0) returned 1 [0230.506] GetProcessHeap () returned 0xa10000 [0230.506] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.506] CloseHandle (hObject=0x264) returned 1 [0230.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.513] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.nefilim")) returned 1 [0230.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.516] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.517] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.517] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.517] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.517] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.518] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.518] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.518] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.519] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=82374) returned 1 [0230.519] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.519] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.519] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.519] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.519] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.519] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.519] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.519] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.520] GetTickCount () returned 0x117a0e6 [0230.520] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.520] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.520] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x141c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.520] SetLastError (dwErrCode=0x0) [0230.520] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.522] GetLastError () returned 0x0 [0230.522] GetLastError () returned 0x0 [0230.522] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x142c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.522] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.522] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x143c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.523] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafb8f6d3, dwHighDateTime=0x1d5fd73)) [0230.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.523] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.523] GetProcessHeap () returned 0xa10000 [0230.523] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x141c6) returned 0xa3b688 [0230.523] GetSystemDefaultLangID () returned 0xa20409 [0230.523] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.523] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x141c6, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x141c6, lpOverlapped=0x0) returned 1 [0230.530] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.530] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x141c6, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x141c6, lpOverlapped=0x0) returned 1 [0230.531] GetProcessHeap () returned 0xa10000 [0230.531] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.531] CloseHandle (hObject=0x264) returned 1 [0230.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.536] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.nefilim")) returned 1 [0230.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.571] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.571] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.572] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.572] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.572] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.572] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.573] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.573] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0230.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.573] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1046", cAlternateFileName="")) returned 1 [0230.573] lstrcmpiW (lpString1="1046", lpString2=".") returned 1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="..") returned 1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="...") returned 1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="windows") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="$RECYCLE.BIN") returned 1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="rsa") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="NTDETECT.COM") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="ntldr") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="MSDOS.SYS") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="IO.SYS") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="boot.ini") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="AUTOEXEC.BAT") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="ntuser.dat") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="desktop.ini") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="CONFIG.SYS") returned -1 [0230.573] lstrcmpiW (lpString1="1046", lpString2="RECYCLER") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="BOOTSECT.BAK") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="bootmgr") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="programdata") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="appdata") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="program files") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="program files (x86)") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="microsoft") returned -1 [0230.574] lstrcmpiW (lpString1="1046", lpString2="sophos") returned -1 [0230.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.574] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.574] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0230.578] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.578] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.578] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.578] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.578] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.578] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.579] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.579] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.579] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.579] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.580] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.580] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.580] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.580] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3683) returned 1 [0230.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.581] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.581] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.581] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.582] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.583] GetTickCount () returned 0x117a134 [0230.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.583] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.583] SetLastError (dwErrCode=0x0) [0230.583] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.586] GetLastError () returned 0x0 [0230.586] GetLastError () returned 0x0 [0230.586] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.586] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.586] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1063, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.586] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafc2804f, dwHighDateTime=0x1d5fd73)) [0230.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.586] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.586] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.586] GetProcessHeap () returned 0xa10000 [0230.586] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe63) returned 0xa3b688 [0230.586] GetSystemDefaultLangID () returned 0xa20409 [0230.586] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.586] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xe63, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xe63, lpOverlapped=0x0) returned 1 [0230.587] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.587] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xe63, lpOverlapped=0x0) returned 1 [0230.587] GetProcessHeap () returned 0xa10000 [0230.587] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.587] CloseHandle (hObject=0x264) returned 1 [0230.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.590] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.nefilim")) returned 1 [0230.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.594] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.594] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.595] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.595] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.595] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.595] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.595] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.595] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.595] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.595] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.595] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.596] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.596] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.596] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.596] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.596] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.596] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.596] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.596] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.596] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=80738) returned 1 [0230.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.597] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.597] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.597] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.597] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.598] GetTickCount () returned 0x117a134 [0230.598] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.598] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.598] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13b62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.598] SetLastError (dwErrCode=0x0) [0230.598] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.600] GetLastError () returned 0x0 [0230.600] GetLastError () returned 0x0 [0230.600] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13c62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.601] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.601] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13d62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.601] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafc4e37c, dwHighDateTime=0x1d5fd73)) [0230.601] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.601] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.601] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.601] GetProcessHeap () returned 0xa10000 [0230.601] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x13b62) returned 0xa3b688 [0230.601] GetSystemDefaultLangID () returned 0xa20409 [0230.601] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.601] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x13b62, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x13b62, lpOverlapped=0x0) returned 1 [0230.608] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.608] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x13b62, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x13b62, lpOverlapped=0x0) returned 1 [0230.609] GetProcessHeap () returned 0xa10000 [0230.609] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.609] CloseHandle (hObject=0x264) returned 1 [0230.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.670] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.670] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.nefilim")) returned 1 [0230.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.671] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.671] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.672] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.672] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.672] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.672] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.672] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.672] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0230.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.673] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1049", cAlternateFileName="")) returned 1 [0230.673] lstrcmpiW (lpString1="1049", lpString2=".") returned 1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="..") returned 1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="...") returned 1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="windows") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="$RECYCLE.BIN") returned 1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="rsa") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="NTDETECT.COM") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="ntldr") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="MSDOS.SYS") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="IO.SYS") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="boot.ini") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="AUTOEXEC.BAT") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="ntuser.dat") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="desktop.ini") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="CONFIG.SYS") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="RECYCLER") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="BOOTSECT.BAK") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="bootmgr") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="programdata") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="appdata") returned -1 [0230.673] lstrcmpiW (lpString1="1049", lpString2="program files") returned -1 [0230.674] lstrcmpiW (lpString1="1049", lpString2="program files (x86)") returned -1 [0230.674] lstrcmpiW (lpString1="1049", lpString2="microsoft") returned -1 [0230.674] lstrcmpiW (lpString1="1049", lpString2="sophos") returned -1 [0230.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.674] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0230.674] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.674] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.674] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.674] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.674] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.674] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.674] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.674] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.674] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.675] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.675] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.675] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.675] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.675] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.676] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.676] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.676] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.677] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=54456) returned 1 [0230.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.677] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.677] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.677] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.679] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.680] GetTickCount () returned 0x117a192 [0230.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.680] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd4b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.680] SetLastError (dwErrCode=0x0) [0230.680] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.682] GetLastError () returned 0x0 [0230.682] GetLastError () returned 0x0 [0230.682] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd5b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.682] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.683] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd6b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.683] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafd0cf70, dwHighDateTime=0x1d5fd73)) [0230.683] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.683] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.683] GetProcessHeap () returned 0xa10000 [0230.683] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd4b8) returned 0xa3b688 [0230.683] GetSystemDefaultLangID () returned 0xa20409 [0230.683] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.683] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xd4b8, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xd4b8, lpOverlapped=0x0) returned 1 [0230.688] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.688] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xd4b8, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xd4b8, lpOverlapped=0x0) returned 1 [0230.689] GetProcessHeap () returned 0xa10000 [0230.689] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.690] CloseHandle (hObject=0x264) returned 1 [0230.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.695] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.695] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.nefilim")) returned 1 [0230.698] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.698] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.698] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.698] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.698] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.698] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.698] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.698] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.699] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.699] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.699] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.699] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.699] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.699] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.699] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.699] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.700] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.700] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.700] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.700] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=81482) returned 1 [0230.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.701] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.701] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.701] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.701] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.701] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.702] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.702] GetTickCount () returned 0x117a1a1 [0230.702] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.702] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.702] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13e4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.703] SetLastError (dwErrCode=0x0) [0230.703] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.744] GetLastError () returned 0x0 [0230.744] GetLastError () returned 0x0 [0230.744] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13f4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.744] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.745] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1404a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.745] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafda58e1, dwHighDateTime=0x1d5fd73)) [0230.745] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.745] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.745] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.745] GetProcessHeap () returned 0xa10000 [0230.745] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x13e4a) returned 0xa3b688 [0230.745] GetSystemDefaultLangID () returned 0xa20409 [0230.745] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.745] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x13e4a, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x13e4a, lpOverlapped=0x0) returned 1 [0230.752] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.752] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x13e4a, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x13e4a, lpOverlapped=0x0) returned 1 [0230.753] GetProcessHeap () returned 0xa10000 [0230.753] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.753] CloseHandle (hObject=0x264) returned 1 [0230.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.760] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.nefilim")) returned 1 [0230.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.761] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.761] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.762] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.762] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.762] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.762] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.762] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.762] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0230.762] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.763] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.763] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.763] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1053", cAlternateFileName="")) returned 1 [0230.763] lstrcmpiW (lpString1="1053", lpString2=".") returned 1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="..") returned 1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="...") returned 1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="windows") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="$RECYCLE.BIN") returned 1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="rsa") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="NTDETECT.COM") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="ntldr") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="MSDOS.SYS") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="IO.SYS") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="boot.ini") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="AUTOEXEC.BAT") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="ntuser.dat") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="desktop.ini") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="CONFIG.SYS") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="RECYCLER") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="BOOTSECT.BAK") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="bootmgr") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="programdata") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="appdata") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="program files") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="program files (x86)") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="microsoft") returned -1 [0230.763] lstrcmpiW (lpString1="1053", lpString2="sophos") returned -1 [0230.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.764] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.764] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0230.765] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.765] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.765] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.765] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.765] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.765] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.766] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.766] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.766] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.766] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.766] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.767] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.767] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.767] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.767] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.767] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.767] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.767] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.767] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3865) returned 1 [0230.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.767] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.767] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.767] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.769] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.770] GetTickCount () returned 0x117a1e0 [0230.770] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.770] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.770] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf19, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.770] SetLastError (dwErrCode=0x0) [0230.770] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.774] GetLastError () returned 0x0 [0230.774] GetLastError () returned 0x0 [0230.774] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1019, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.774] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.775] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1119, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.775] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafdf5f9f, dwHighDateTime=0x1d5fd73)) [0230.775] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.775] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.775] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.775] GetProcessHeap () returned 0xa10000 [0230.775] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf19) returned 0xa3b688 [0230.775] GetSystemDefaultLangID () returned 0xa20409 [0230.775] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.775] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xf19, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xf19, lpOverlapped=0x0) returned 1 [0230.775] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.775] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xf19, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xf19, lpOverlapped=0x0) returned 1 [0230.776] GetProcessHeap () returned 0xa10000 [0230.776] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.776] CloseHandle (hObject=0x264) returned 1 [0230.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.779] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.779] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.nefilim")) returned 1 [0230.823] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.823] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.823] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.824] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.824] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.824] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.825] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.825] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.825] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.826] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=77680) returned 1 [0230.826] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.826] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.826] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.826] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.826] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.827] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.827] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.827] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.827] GetTickCount () returned 0x117a21e [0230.827] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.827] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.827] SetLastError (dwErrCode=0x0) [0230.827] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.830] GetLastError () returned 0x0 [0230.830] GetLastError () returned 0x0 [0230.830] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.830] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.830] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.830] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xafe64483, dwHighDateTime=0x1d5fd73)) [0230.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.830] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.830] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.830] GetProcessHeap () returned 0xa10000 [0230.830] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12f70) returned 0xa3b688 [0230.830] GetSystemDefaultLangID () returned 0xa20409 [0230.830] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.830] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x12f70, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x12f70, lpOverlapped=0x0) returned 1 [0230.837] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.837] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x12f70, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x12f70, lpOverlapped=0x0) returned 1 [0230.838] GetProcessHeap () returned 0xa10000 [0230.838] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.838] CloseHandle (hObject=0x264) returned 1 [0230.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.843] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.843] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.nefilim")) returned 1 [0230.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.844] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.845] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.845] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.845] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.845] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.845] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.845] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.846] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.846] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.846] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.846] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.846] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.846] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0230.846] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.846] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.846] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.846] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="1055", cAlternateFileName="")) returned 1 [0230.846] lstrcmpiW (lpString1="1055", lpString2=".") returned 1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="..") returned 1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="...") returned 1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="windows") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="$RECYCLE.BIN") returned 1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="rsa") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="NTDETECT.COM") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="ntldr") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="MSDOS.SYS") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="IO.SYS") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="boot.ini") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="AUTOEXEC.BAT") returned -1 [0230.846] lstrcmpiW (lpString1="1055", lpString2="ntuser.dat") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="desktop.ini") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="CONFIG.SYS") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="RECYCLER") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="BOOTSECT.BAK") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="bootmgr") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="programdata") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="appdata") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="program files") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="program files (x86)") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="microsoft") returned -1 [0230.847] lstrcmpiW (lpString1="1055", lpString2="sophos") returned -1 [0230.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.847] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.847] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0230.847] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.847] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.848] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.848] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.849] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.849] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.849] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.849] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.849] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.849] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.850] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.858] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3859) returned 1 [0230.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.858] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.858] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.858] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.859] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.860] GetTickCount () returned 0x117a23e [0230.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.860] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.860] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf13, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.860] SetLastError (dwErrCode=0x0) [0230.860] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.901] GetLastError () returned 0x0 [0230.901] GetLastError () returned 0x0 [0230.901] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1013, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.901] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.901] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1113, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.901] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaff2305c, dwHighDateTime=0x1d5fd73)) [0230.901] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.901] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.901] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.901] GetProcessHeap () returned 0xa10000 [0230.901] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf13) returned 0xa3b688 [0230.901] GetSystemDefaultLangID () returned 0xa20409 [0230.901] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.901] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xf13, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xf13, lpOverlapped=0x0) returned 1 [0230.902] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.902] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xf13, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xf13, lpOverlapped=0x0) returned 1 [0230.902] GetProcessHeap () returned 0xa10000 [0230.902] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.902] CloseHandle (hObject=0x264) returned 1 [0230.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0230.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0230.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0230.908] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.nefilim")) returned 1 [0230.931] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.931] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.931] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0230.931] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0230.932] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0230.932] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0230.932] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0230.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0230.932] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0230.932] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0230.932] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0230.932] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.932] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.933] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=76818) returned 1 [0230.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0230.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0230.933] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0230.933] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0230.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.933] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.933] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.933] GetTickCount () returned 0x117a28c [0230.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0230.934] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0230.934] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12c12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.934] SetLastError (dwErrCode=0x0) [0230.934] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.944] GetLastError () returned 0x0 [0230.944] GetLastError () returned 0x0 [0230.944] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12d12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.944] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.944] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12e12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.944] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xaff954ea, dwHighDateTime=0x1d5fd73)) [0230.944] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0230.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0230.944] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.944] GetProcessHeap () returned 0xa10000 [0230.944] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12c12) returned 0xa3b688 [0230.945] GetSystemDefaultLangID () returned 0xa20409 [0230.945] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.945] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x12c12, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x12c12, lpOverlapped=0x0) returned 1 [0230.954] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.954] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x12c12, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x12c12, lpOverlapped=0x0) returned 1 [0230.954] GetProcessHeap () returned 0xa10000 [0230.954] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0230.954] CloseHandle (hObject=0x264) returned 1 [0230.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0230.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0230.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0230.960] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0230.960] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.nefilim")) returned 1 [0230.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0230.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.961] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0230.961] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0230.962] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0230.962] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0230.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0230.962] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0230.962] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0230.962] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0230.962] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0230.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0230.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0230.963] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="2052", cAlternateFileName="")) returned 1 [0230.963] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="...") returned 1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="$RECYCLE.BIN") returned 1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="rsa") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="NTDETECT.COM") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="ntldr") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="MSDOS.SYS") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="IO.SYS") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="boot.ini") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="AUTOEXEC.BAT") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="ntuser.dat") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="desktop.ini") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="CONFIG.SYS") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="RECYCLER") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="BOOTSECT.BAK") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="bootmgr") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="programdata") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="appdata") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="program files") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="program files (x86)") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="microsoft") returned -1 [0230.963] lstrcmpiW (lpString1="2052", lpString2="sophos") returned -1 [0230.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0230.964] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0230.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0230.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0230.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.964] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0230.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0230.964] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0230.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0230.964] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0230.964] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0230.965] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0230.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0230.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.965] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0230.965] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0230.966] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0230.966] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0230.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0230.966] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0230.966] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=5827) returned 1 [0230.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0230.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0230.966] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0230.966] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0230.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0230.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0230.967] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0230.968] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0230.997] GetTickCount () returned 0x117a2ca [0230.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0230.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.997] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.997] SetLastError (dwErrCode=0x0) [0230.997] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.999] GetLastError () returned 0x0 [0230.999] GetLastError () returned 0x0 [0230.999] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x17c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.999] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0230.999] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x18c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.999] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0007db9, dwHighDateTime=0x1d5fd73)) [0230.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0230.999] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0230.999] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0230.999] GetProcessHeap () returned 0xa10000 [0230.999] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16c3) returned 0xa3b688 [0230.999] GetSystemDefaultLangID () returned 0xa20409 [0230.999] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0230.999] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x16c3, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x16c3, lpOverlapped=0x0) returned 1 [0231.000] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.000] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x16c3, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x16c3, lpOverlapped=0x0) returned 1 [0231.000] GetProcessHeap () returned 0xa10000 [0231.000] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.001] CloseHandle (hObject=0x264) returned 1 [0231.001] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.001] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.002] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0231.002] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0231.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0231.002] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.nefilim")) returned 1 [0231.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.008] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0231.008] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0231.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0231.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0231.009] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.009] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.009] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.010] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.010] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=60684) returned 1 [0231.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0231.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0231.010] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0231.010] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0231.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.010] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.010] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.011] GetTickCount () returned 0x117a2da [0231.011] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0231.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.011] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xed0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.011] SetLastError (dwErrCode=0x0) [0231.011] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.013] GetLastError () returned 0x0 [0231.013] GetLastError () returned 0x0 [0231.013] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xee0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.013] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.013] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.013] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb002ded8, dwHighDateTime=0x1d5fd73)) [0231.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.013] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.013] GetProcessHeap () returned 0xa10000 [0231.013] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xed0c) returned 0xa3b688 [0231.013] GetSystemDefaultLangID () returned 0xa20409 [0231.013] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.013] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xed0c, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xed0c, lpOverlapped=0x0) returned 1 [0231.018] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.018] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xed0c, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xed0c, lpOverlapped=0x0) returned 1 [0231.018] GetProcessHeap () returned 0xa10000 [0231.018] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.018] CloseHandle (hObject=0x264) returned 1 [0231.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0231.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0231.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.021] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.nefilim")) returned 1 [0231.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.021] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0231.021] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0231.022] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0231.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.022] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0231.022] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0231.022] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0231.022] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0231.022] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0231.023] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0231.023] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0231.023] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0231.023] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0231.023] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0231.023] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0231.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0231.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.023] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="2070", cAlternateFileName="")) returned 1 [0231.023] lstrcmpiW (lpString1="2070", lpString2=".") returned 1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="..") returned 1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="...") returned 1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="windows") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="$RECYCLE.BIN") returned 1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="rsa") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="NTDETECT.COM") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="ntldr") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="MSDOS.SYS") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="IO.SYS") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="boot.ini") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="AUTOEXEC.BAT") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="ntuser.dat") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="desktop.ini") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="CONFIG.SYS") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="RECYCLER") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="BOOTSECT.BAK") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="bootmgr") returned -1 [0231.023] lstrcmpiW (lpString1="2070", lpString2="programdata") returned -1 [0231.024] lstrcmpiW (lpString1="2070", lpString2="appdata") returned -1 [0231.024] lstrcmpiW (lpString1="2070", lpString2="program files") returned -1 [0231.024] lstrcmpiW (lpString1="2070", lpString2="program files (x86)") returned -1 [0231.024] lstrcmpiW (lpString1="2070", lpString2="microsoft") returned -1 [0231.024] lstrcmpiW (lpString1="2070", lpString2="sophos") returned -1 [0231.024] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0231.024] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.024] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0231.024] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0231.024] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0231.024] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0231.030] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0231.030] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.030] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0231.030] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0231.030] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0231.030] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0231.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0231.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.031] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0231.031] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0231.031] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0231.031] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.070] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=4015) returned 1 [0231.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0231.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0231.070] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0231.070] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0231.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.070] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.071] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.072] GetTickCount () returned 0x117a318 [0231.072] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0231.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.072] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfaf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.072] SetLastError (dwErrCode=0x0) [0231.072] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.075] GetLastError () returned 0x0 [0231.075] GetLastError () returned 0x0 [0231.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.075] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.075] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb00c69ba, dwHighDateTime=0x1d5fd73)) [0231.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0231.075] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.075] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.075] GetProcessHeap () returned 0xa10000 [0231.075] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xfaf) returned 0xa3b688 [0231.075] GetSystemDefaultLangID () returned 0xa20409 [0231.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.075] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xfaf, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xfaf, lpOverlapped=0x0) returned 1 [0231.076] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.076] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xfaf, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xfaf, lpOverlapped=0x0) returned 1 [0231.076] GetProcessHeap () returned 0xa10000 [0231.076] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.076] CloseHandle (hObject=0x264) returned 1 [0231.078] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.078] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.078] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0231.078] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0231.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0231.078] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.nefilim")) returned 1 [0231.080] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.080] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.080] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0231.080] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0231.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0231.081] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0231.081] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0231.081] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.082] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.082] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.082] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.082] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.083] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=80254) returned 1 [0231.083] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0231.083] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0231.083] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0231.083] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0231.083] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.083] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.083] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.083] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.084] GetTickCount () returned 0x117a328 [0231.084] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0231.084] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.084] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1397e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.084] SetLastError (dwErrCode=0x0) [0231.084] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.086] GetLastError () returned 0x0 [0231.086] GetLastError () returned 0x0 [0231.086] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13a7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.086] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.087] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13b7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.087] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb00eccbf, dwHighDateTime=0x1d5fd73)) [0231.087] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.087] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.087] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.087] GetProcessHeap () returned 0xa10000 [0231.087] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1397e) returned 0xa3b688 [0231.087] GetSystemDefaultLangID () returned 0xa20409 [0231.087] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.087] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1397e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x1397e, lpOverlapped=0x0) returned 1 [0231.094] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.094] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1397e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x1397e, lpOverlapped=0x0) returned 1 [0231.094] GetProcessHeap () returned 0xa10000 [0231.094] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.094] CloseHandle (hObject=0x264) returned 1 [0231.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0231.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0231.097] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.097] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.nefilim")) returned 1 [0231.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.109] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0231.109] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0231.109] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0231.109] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0231.110] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0231.110] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.110] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0231.110] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0231.110] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0231.111] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0231.111] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0231.111] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0231.111] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0231.111] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0231.111] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0231.111] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0231.111] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0231.111] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.111] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0231.111] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.111] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="3076", cAlternateFileName="")) returned 1 [0231.111] lstrcmpiW (lpString1="3076", lpString2=".") returned 1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="..") returned 1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="...") returned 1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="windows") returned -1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="$RECYCLE.BIN") returned 1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="rsa") returned -1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="NTDETECT.COM") returned -1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="ntldr") returned -1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="MSDOS.SYS") returned -1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="IO.SYS") returned -1 [0231.111] lstrcmpiW (lpString1="3076", lpString2="boot.ini") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="AUTOEXEC.BAT") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="ntuser.dat") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="desktop.ini") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="CONFIG.SYS") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="RECYCLER") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="BOOTSECT.BAK") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="bootmgr") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="programdata") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="appdata") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="program files") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="program files (x86)") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="microsoft") returned -1 [0231.112] lstrcmpiW (lpString1="3076", lpString2="sophos") returned -1 [0231.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0231.112] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0231.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0231.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0231.112] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0231.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0231.113] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.113] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0231.113] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0231.113] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0231.113] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0231.114] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0231.114] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0231.114] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0231.114] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0231.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0231.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.114] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0231.114] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0231.114] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0231.114] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.149] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=6309) returned 1 [0231.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0231.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0231.149] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0231.149] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0231.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.149] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.151] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.152] GetTickCount () returned 0x117a367 [0231.152] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0231.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.152] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x18a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.152] SetLastError (dwErrCode=0x0) [0231.152] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.154] GetLastError () returned 0x0 [0231.154] GetLastError () returned 0x0 [0231.154] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x19a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.154] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.154] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1aa5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.155] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0185672, dwHighDateTime=0x1d5fd73)) [0231.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0231.155] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.155] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.155] GetProcessHeap () returned 0xa10000 [0231.155] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x18a5) returned 0xa3b688 [0231.155] GetSystemDefaultLangID () returned 0xa20409 [0231.155] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.155] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x18a5, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x18a5, lpOverlapped=0x0) returned 1 [0231.156] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.156] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x18a5, lpOverlapped=0x0) returned 1 [0231.157] GetProcessHeap () returned 0xa10000 [0231.157] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.157] CloseHandle (hObject=0x264) returned 1 [0231.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0231.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0231.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0231.160] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.nefilim")) returned 1 [0231.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.163] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0231.163] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0231.164] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0231.164] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0231.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0231.164] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.164] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.165] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.165] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.165] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=60816) returned 1 [0231.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0231.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0231.165] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0231.165] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0231.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.165] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.166] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.166] GetTickCount () returned 0x117a376 [0231.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0231.166] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.166] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xed90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.166] SetLastError (dwErrCode=0x0) [0231.166] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.169] GetLastError () returned 0x0 [0231.169] GetLastError () returned 0x0 [0231.169] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xee90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.169] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.169] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.169] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb01ab627, dwHighDateTime=0x1d5fd73)) [0231.169] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.169] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.169] GetProcessHeap () returned 0xa10000 [0231.169] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xed90) returned 0xa3b688 [0231.169] GetSystemDefaultLangID () returned 0xa20409 [0231.169] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.169] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xed90, lpOverlapped=0x0) returned 1 [0231.175] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.175] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xed90, lpOverlapped=0x0) returned 1 [0231.175] GetProcessHeap () returned 0xa10000 [0231.175] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.175] CloseHandle (hObject=0x264) returned 1 [0231.178] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.178] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.178] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0231.178] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0231.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.178] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.nefilim")) returned 1 [0231.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.179] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0231.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0231.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0231.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0231.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0231.179] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0231.180] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0231.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.180] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0231.180] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0231.180] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0231.180] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0231.181] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0231.181] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0231.181] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0231.181] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0231.181] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0231.181] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0231.181] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0231.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0231.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.181] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="3082", cAlternateFileName="")) returned 1 [0231.181] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="$RECYCLE.BIN") returned 1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="rsa") returned -1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="NTDETECT.COM") returned -1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="ntldr") returned -1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="MSDOS.SYS") returned -1 [0231.181] lstrcmpiW (lpString1="3082", lpString2="IO.SYS") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="boot.ini") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="AUTOEXEC.BAT") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="ntuser.dat") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="desktop.ini") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="CONFIG.SYS") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="RECYCLER") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="BOOTSECT.BAK") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="bootmgr") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="programdata") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="appdata") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="program files") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="program files (x86)") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="microsoft") returned -1 [0231.182] lstrcmpiW (lpString1="3082", lpString2="sophos") returned -1 [0231.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0231.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0231.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0231.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0231.182] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f9e0 [0231.183] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0231.183] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.183] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0231.183] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0231.183] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0231.183] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0231.184] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0231.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1450 [0231.184] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.184] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0231.184] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0231.185] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0231.185] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0231.185] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d14a8 [0231.185] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.185] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=3069) returned 1 [0231.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0231.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1518 [0231.185] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0231.185] SystemFunction036 (in: RandomBuffer=0x28d1518, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1518) returned 1 [0231.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.185] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.187] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.243] GetTickCount () returned 0x117a3c4 [0231.243] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1408 [0231.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.243] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xbfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.243] SetLastError (dwErrCode=0x0) [0231.243] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.245] GetLastError () returned 0x0 [0231.245] GetLastError () returned 0x0 [0231.245] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xcfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.245] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.246] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.246] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb026b151, dwHighDateTime=0x1d5fd73)) [0231.246] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1408 [0231.246] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.246] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.246] GetProcessHeap () returned 0xa10000 [0231.246] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xbfd) returned 0xa3b688 [0231.246] GetSystemDefaultLangID () returned 0xa20409 [0231.246] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.246] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xbfd, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0xbfd, lpOverlapped=0x0) returned 1 [0231.246] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.246] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xbfd, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0xbfd, lpOverlapped=0x0) returned 1 [0231.247] GetProcessHeap () returned 0xa10000 [0231.247] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.247] CloseHandle (hObject=0x264) returned 1 [0231.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1500 | out: hHeap=0x28d0000) returned 1 [0231.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1518 | out: hHeap=0x28d0000) returned 1 [0231.249] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1fd0 [0231.249] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.nefilim")) returned 1 [0231.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.253] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0231.253] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0231.254] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0231.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14a8 [0231.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0231.254] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.254] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.255] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.255] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.255] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.255] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=79996) returned 1 [0231.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1510 [0231.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1528 [0231.256] SystemFunction036 (in: RandomBuffer=0x28d1510, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1510) returned 1 [0231.256] SystemFunction036 (in: RandomBuffer=0x28d1528, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1528) returned 1 [0231.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.256] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.256] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.257] GetTickCount () returned 0x117a3d4 [0231.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1470 [0231.257] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.257] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1387c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.257] SetLastError (dwErrCode=0x0) [0231.257] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.259] GetLastError () returned 0x0 [0231.259] GetLastError () returned 0x0 [0231.259] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1397c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.259] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.259] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13a7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.259] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0290760, dwHighDateTime=0x1d5fd73)) [0231.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.260] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.260] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.260] GetProcessHeap () returned 0xa10000 [0231.260] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1387c) returned 0xa3b688 [0231.260] GetSystemDefaultLangID () returned 0xa20409 [0231.260] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.260] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1387c, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x1387c, lpOverlapped=0x0) returned 1 [0231.267] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.267] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1387c, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x1387c, lpOverlapped=0x0) returned 1 [0231.268] GetProcessHeap () returned 0xa10000 [0231.268] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.268] CloseHandle (hObject=0x264) returned 1 [0231.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1510 | out: hHeap=0x28d0000) returned 1 [0231.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1528 | out: hHeap=0x28d0000) returned 1 [0231.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.271] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.nefilim")) returned 1 [0231.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.272] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0231.272] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0231.272] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0231.272] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0231.272] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0231.272] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0231.272] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0231.273] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0231.273] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.273] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a8 | out: hHeap=0x28d0000) returned 1 [0231.273] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0231.273] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0231.273] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0231.273] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0231.273] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0231.274] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0231.274] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0231.274] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0231.274] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0231.274] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0231.274] FindClose (in: hFindFile=0xa2f9e0 | out: hFindFile=0xa2f9e0) returned 1 [0231.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0231.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.274] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Client", cAlternateFileName="")) returned 1 [0231.274] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="...") returned 1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="windows") returned -1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="$RECYCLE.BIN") returned 1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="rsa") returned -1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="NTDETECT.COM") returned -1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="ntldr") returned -1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="MSDOS.SYS") returned -1 [0231.274] lstrcmpiW (lpString1="Client", lpString2="IO.SYS") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="boot.ini") returned 1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="AUTOEXEC.BAT") returned 1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="ntuser.dat") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="desktop.ini") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="CONFIG.SYS") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="RECYCLER") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="BOOTSECT.BAK") returned 1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="bootmgr") returned 1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="programdata") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="appdata") returned 1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="program files") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="program files (x86)") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="microsoft") returned -1 [0231.275] lstrcmpiW (lpString1="Client", lpString2="sophos") returned -1 [0231.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0231.275] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0231.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0231.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0231.275] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0231.342] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0231.342] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0231.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0231.342] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0231.342] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2=".") returned 1 [0231.342] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="..") returned 1 [0231.342] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="...") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="windows") returned -1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="rsa") returned -1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NTDETECT.COM") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntldr") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="MSDOS.SYS") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="IO.SYS") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="boot.ini") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntuser.dat") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="desktop.ini") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="CONFIG.SYS") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="RECYCLER") returned -1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="bootmgr") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="programdata") returned -1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="appdata") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files") returned -1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files (x86)") returned -1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="microsoft") returned 1 [0231.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="sophos") returned -1 [0231.343] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1460 [0231.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.343] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.344] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.344] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14c8 [0231.344] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.345] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=201796) returned 1 [0231.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1408 [0231.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1420 [0231.345] SystemFunction036 (in: RandomBuffer=0x28d1408, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1408) returned 1 [0231.345] SystemFunction036 (in: RandomBuffer=0x28d1420, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1420) returned 1 [0231.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.345] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.346] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.347] GetTickCount () returned 0x117a422 [0231.347] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d21e0 [0231.347] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.347] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x31444, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.347] SetLastError (dwErrCode=0x0) [0231.347] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.479] GetLastError () returned 0x0 [0231.479] GetLastError () returned 0x0 [0231.479] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x31544, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.479] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.479] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x31644, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.479] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb04b4145, dwHighDateTime=0x1d5fd73)) [0231.479] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.479] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.480] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.480] GetProcessHeap () returned 0xa10000 [0231.480] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x31444) returned 0xa3b688 [0231.481] GetSystemDefaultLangID () returned 0xa20409 [0231.481] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.481] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x31444, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x31444, lpOverlapped=0x0) returned 1 [0231.506] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.506] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x31444, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x31444, lpOverlapped=0x0) returned 1 [0231.508] GetProcessHeap () returned 0xa10000 [0231.508] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.508] CloseHandle (hObject=0x264) returned 1 [0231.515] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1420 | out: hHeap=0x28d0000) returned 1 [0231.516] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.516] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.nefilim")) returned 1 [0231.517] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.517] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0231.517] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="rsa") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NTDETECT.COM") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntldr") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="MSDOS.SYS") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="IO.SYS") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="boot.ini") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntuser.dat") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="desktop.ini") returned 1 [0231.517] lstrcmpiW (lpString1="UiInfo.xml", lpString2="CONFIG.SYS") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="RECYCLER") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="bootmgr") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="programdata") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="appdata") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files (x86)") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="microsoft") returned 1 [0231.518] lstrcmpiW (lpString1="UiInfo.xml", lpString2="sophos") returned 1 [0231.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0231.518] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1460 | out: hHeap=0x28d0000) returned 1 [0231.518] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.518] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.519] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.519] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.519] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.519] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.519] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1460 [0231.519] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.561] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=39042) returned 1 [0231.561] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14b8 [0231.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d0 [0231.562] SystemFunction036 (in: RandomBuffer=0x28d14b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14b8) returned 1 [0231.562] SystemFunction036 (in: RandomBuffer=0x28d14d0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d0) returned 1 [0231.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.562] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.564] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.566] GetTickCount () returned 0x117a50c [0231.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14e8 [0231.566] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14e8 | out: hHeap=0x28d0000) returned 1 [0231.566] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9882, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.566] SetLastError (dwErrCode=0x0) [0231.566] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.568] GetLastError () returned 0x0 [0231.568] GetLastError () returned 0x0 [0231.568] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9982, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.569] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.569] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9a82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.569] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0574890, dwHighDateTime=0x1d5fd73)) [0231.569] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14e8 [0231.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14e8 | out: hHeap=0x28d0000) returned 1 [0231.569] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.569] GetProcessHeap () returned 0xa10000 [0231.569] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9882) returned 0xa3b688 [0231.569] GetSystemDefaultLangID () returned 0xa20409 [0231.569] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.569] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x9882, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x9882, lpOverlapped=0x0) returned 1 [0231.573] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.573] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x9882, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x9882, lpOverlapped=0x0) returned 1 [0231.573] GetProcessHeap () returned 0xa10000 [0231.573] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.575] CloseHandle (hObject=0x264) returned 1 [0231.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0231.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d0 | out: hHeap=0x28d0000) returned 1 [0231.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14b8 [0231.577] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.nefilim")) returned 1 [0231.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0231.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1460 | out: hHeap=0x28d0000) returned 1 [0231.578] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0231.578] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0231.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0231.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.578] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2=".") returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="..") returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="...") returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="windows") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="$RECYCLE.BIN") returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="rsa") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="NTDETECT.COM") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="ntldr") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="MSDOS.SYS") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="IO.SYS") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="boot.ini") returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="AUTOEXEC.BAT") returned 1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="ntuser.dat") returned -1 [0231.578] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="desktop.ini") returned 1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="CONFIG.SYS") returned 1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="RECYCLER") returned -1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="BOOTSECT.BAK") returned 1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="bootmgr") returned 1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="programdata") returned -1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="appdata") returned 1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="program files") returned -1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="program files (x86)") returned -1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="microsoft") returned -1 [0231.579] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="sophos") returned -1 [0231.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1378 [0231.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.579] PathFindExtensionW (pszPath="DHtmlHeader.html") returned=".html" [0231.579] lstrcmpiW (lpString1=".html", lpString2=".exe") returned 1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".log") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".cab") returned 1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".cmd") returned 1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".com") returned 1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".cpl") returned 1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".ini") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".dll") returned 1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".url") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".ttf") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".mp3") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".pif") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".mp4") returned -1 [0231.579] lstrcmpiW (lpString1=".html", lpString2=".NEFILIM") returned -1 [0231.580] lstrcmpiW (lpString1=".html", lpString2=".msi") returned -1 [0231.580] lstrcmpiW (lpString1=".html", lpString2=".lnk") returned -1 [0231.580] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d13d0 [0231.580] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0231.580] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=16118) returned 1 [0231.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1330 [0231.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1348 [0231.580] SystemFunction036 (in: RandomBuffer=0x28d1330, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1330) returned 1 [0231.580] SystemFunction036 (in: RandomBuffer=0x28d1348, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1348) returned 1 [0231.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1428 [0231.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.580] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1428*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1428*, pdwDataLen=0x26ef248*=0x100) returned 1 [0231.583] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0231.586] GetTickCount () returned 0x117a51c [0231.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0231.586] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ef6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.586] SetLastError (dwErrCode=0x0) [0231.586] WriteFile (in: hFile=0x260, lpBuffer=0x28d1428*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1428*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0231.588] GetLastError () returned 0x0 [0231.588] GetLastError () returned 0x0 [0231.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ff6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.588] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0231.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.588] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xb059aa91, dwHighDateTime=0x1d5fd73)) [0231.589] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0231.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.589] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0231.589] GetProcessHeap () returned 0xa10000 [0231.589] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3ef6) returned 0xa3b688 [0231.590] GetSystemDefaultLangID () returned 0xa20409 [0231.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.590] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x3ef6, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x3ef6, lpOverlapped=0x0) returned 1 [0231.592] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.592] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x3ef6, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x3ef6, lpOverlapped=0x0) returned 1 [0231.593] GetProcessHeap () returned 0xa10000 [0231.593] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.593] CloseHandle (hObject=0x260) returned 1 [0231.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1428 | out: hHeap=0x28d0000) returned 1 [0231.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1348 | out: hHeap=0x28d0000) returned 1 [0231.595] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1428 [0231.595] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.nefilim")) returned 1 [0231.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1428 | out: hHeap=0x28d0000) returned 1 [0231.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13d0 | out: hHeap=0x28d0000) returned 1 [0231.595] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0231.595] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2=".") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="..") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="...") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="windows") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="rsa") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="NTDETECT.COM") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="ntldr") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="MSDOS.SYS") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="IO.SYS") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="boot.ini") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="ntuser.dat") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="desktop.ini") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="CONFIG.SYS") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="RECYCLER") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="bootmgr") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="programdata") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="appdata") returned 1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="program files") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="program files (x86)") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="microsoft") returned -1 [0231.596] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="sophos") returned -1 [0231.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d13d0 [0231.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.596] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.597] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.597] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0231.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0231.597] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0231.641] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=88533) returned 1 [0231.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1388 [0231.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13a0 [0231.641] SystemFunction036 (in: RandomBuffer=0x28d1388, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1388) returned 1 [0231.641] SystemFunction036 (in: RandomBuffer=0x28d13a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13a0) returned 1 [0231.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1428 [0231.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.641] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1428*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1428*, pdwDataLen=0x26ef248*=0x100) returned 1 [0231.643] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0231.645] GetTickCount () returned 0x117a55b [0231.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0231.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.646] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x159d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.646] SetLastError (dwErrCode=0x0) [0231.646] WriteFile (in: hFile=0x260, lpBuffer=0x28d1428*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1428*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0231.648] GetLastError () returned 0x0 [0231.648] GetLastError () returned 0x0 [0231.648] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15ad5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.649] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0231.649] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15bd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.649] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xb063344c, dwHighDateTime=0x1d5fd73)) [0231.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0231.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.649] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0231.649] GetProcessHeap () returned 0xa10000 [0231.649] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x159d5) returned 0xa3b688 [0231.650] GetSystemDefaultLangID () returned 0xa20409 [0231.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.650] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x159d5, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x159d5, lpOverlapped=0x0) returned 1 [0231.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.659] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x159d5, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x159d5, lpOverlapped=0x0) returned 1 [0231.660] GetProcessHeap () returned 0xa10000 [0231.660] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.660] CloseHandle (hObject=0x260) returned 1 [0231.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1428 | out: hHeap=0x28d0000) returned 1 [0231.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0231.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13a0 | out: hHeap=0x28d0000) returned 1 [0231.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1428 [0231.669] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.nefilim")) returned 1 [0231.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1428 | out: hHeap=0x28d0000) returned 1 [0231.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.670] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Extended", cAlternateFileName="")) returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2=".") returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="..") returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="...") returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="windows") returned -1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="$RECYCLE.BIN") returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="rsa") returned -1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="NTDETECT.COM") returned -1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="ntldr") returned -1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="MSDOS.SYS") returned -1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="IO.SYS") returned -1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="boot.ini") returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="AUTOEXEC.BAT") returned 1 [0231.670] lstrcmpiW (lpString1="Extended", lpString2="ntuser.dat") returned -1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="desktop.ini") returned 1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="CONFIG.SYS") returned 1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="RECYCLER") returned -1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="BOOTSECT.BAK") returned 1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="bootmgr") returned 1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="programdata") returned -1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="appdata") returned 1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="program files") returned -1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="program files (x86)") returned -1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="microsoft") returned -1 [0231.671] lstrcmpiW (lpString1="Extended", lpString2="sophos") returned -1 [0231.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0231.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13d0 | out: hHeap=0x28d0000) returned 1 [0231.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0231.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0231.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0231.671] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0231.671] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0231.672] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0231.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0231.672] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2=".") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="..") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="...") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="windows") returned -1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="rsa") returned -1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NTDETECT.COM") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntldr") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="MSDOS.SYS") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="IO.SYS") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="boot.ini") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntuser.dat") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="desktop.ini") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="CONFIG.SYS") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="RECYCLER") returned -1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="bootmgr") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="programdata") returned -1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="appdata") returned 1 [0231.672] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files") returned -1 [0231.673] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files (x86)") returned -1 [0231.673] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="microsoft") returned 1 [0231.673] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="sophos") returned -1 [0231.673] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1460 [0231.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.673] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.673] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.673] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.673] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.674] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.674] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=93314) returned 1 [0231.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1408 [0231.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1420 [0231.674] SystemFunction036 (in: RandomBuffer=0x28d1408, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1408) returned 1 [0231.674] SystemFunction036 (in: RandomBuffer=0x28d1420, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1420) returned 1 [0231.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2048 [0231.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2150 [0231.674] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2048*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d2048*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.675] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2150*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d2150*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.675] GetTickCount () returned 0x117a57a [0231.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14d8 [0231.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.675] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.675] SetLastError (dwErrCode=0x0) [0231.675] WriteFile (in: hFile=0x264, lpBuffer=0x28d2048*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d2048*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.720] GetLastError () returned 0x0 [0231.720] GetLastError () returned 0x0 [0231.720] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16d82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.720] WriteFile (in: hFile=0x264, lpBuffer=0x28d2150*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d2150*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.720] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16e82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.721] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb06f205e, dwHighDateTime=0x1d5fd73)) [0231.721] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14d8 [0231.721] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.721] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.721] GetProcessHeap () returned 0xa10000 [0231.721] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16c82) returned 0xa3b688 [0231.721] GetSystemDefaultLangID () returned 0xa20409 [0231.721] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.721] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x16c82, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x16c82, lpOverlapped=0x0) returned 1 [0231.728] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.728] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x16c82, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x16c82, lpOverlapped=0x0) returned 1 [0231.729] GetProcessHeap () returned 0xa10000 [0231.729] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.729] CloseHandle (hObject=0x264) returned 1 [0231.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2048 | out: hHeap=0x28d0000) returned 1 [0231.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2150 | out: hHeap=0x28d0000) returned 1 [0231.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1420 | out: hHeap=0x28d0000) returned 1 [0231.735] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d2048 [0231.736] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.nefilim")) returned 1 [0231.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2048 | out: hHeap=0x28d0000) returned 1 [0231.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.736] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="rsa") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NTDETECT.COM") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntldr") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="MSDOS.SYS") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="IO.SYS") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="boot.ini") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntuser.dat") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="desktop.ini") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="CONFIG.SYS") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="RECYCLER") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="bootmgr") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="programdata") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="appdata") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files (x86)") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="microsoft") returned 1 [0231.737] lstrcmpiW (lpString1="UiInfo.xml", lpString2="sophos") returned 1 [0231.738] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14d8 [0231.738] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1460 | out: hHeap=0x28d0000) returned 1 [0231.738] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0231.738] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0231.738] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.738] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.738] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.739] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=39050) returned 1 [0231.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1470 [0231.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1488 [0231.739] SystemFunction036 (in: RandomBuffer=0x28d1470, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1470) returned 1 [0231.739] SystemFunction036 (in: RandomBuffer=0x28d1488, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1488) returned 1 [0231.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.739] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.741] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.743] GetTickCount () returned 0x117a5b8 [0231.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14a0 [0231.743] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a0 | out: hHeap=0x28d0000) returned 1 [0231.743] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x988a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.743] SetLastError (dwErrCode=0x0) [0231.743] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.746] GetLastError () returned 0x0 [0231.746] GetLastError () returned 0x0 [0231.746] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x998a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.746] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.746] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9a8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.746] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb073e3c1, dwHighDateTime=0x1d5fd73)) [0231.746] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.746] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.746] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.747] GetProcessHeap () returned 0xa10000 [0231.747] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x988a) returned 0xa3b688 [0231.747] GetSystemDefaultLangID () returned 0xa20409 [0231.747] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.747] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x988a, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x988a, lpOverlapped=0x0) returned 1 [0231.751] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.751] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x988a, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x988a, lpOverlapped=0x0) returned 1 [0231.752] GetProcessHeap () returned 0xa10000 [0231.752] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.753] CloseHandle (hObject=0x264) returned 1 [0231.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.759] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1488 | out: hHeap=0x28d0000) returned 1 [0231.759] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.760] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.nefilim")) returned 1 [0231.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.761] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0231.761] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0231.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0231.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0231.761] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0231.797] lstrcmpiW (lpString1="Graphics", lpString2=".") returned 1 [0231.797] lstrcmpiW (lpString1="Graphics", lpString2="..") returned 1 [0231.797] lstrcmpiW (lpString1="Graphics", lpString2="...") returned 1 [0231.797] lstrcmpiW (lpString1="Graphics", lpString2="windows") returned -1 [0231.797] lstrcmpiW (lpString1="Graphics", lpString2="$RECYCLE.BIN") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="rsa") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="NTDETECT.COM") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="ntldr") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="MSDOS.SYS") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="IO.SYS") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="boot.ini") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="AUTOEXEC.BAT") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="ntuser.dat") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="desktop.ini") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="CONFIG.SYS") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="RECYCLER") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="BOOTSECT.BAK") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="bootmgr") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="programdata") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="appdata") returned 1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="program files") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="program files (x86)") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="microsoft") returned -1 [0231.798] lstrcmpiW (lpString1="Graphics", lpString2="sophos") returned -1 [0231.798] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1378 [0231.798] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0231.798] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0231.798] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13c0 [0231.799] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0231.799] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0231.802] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0231.802] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.802] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0231.802] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0231.803] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2=".") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="..") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="...") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="windows") returned -1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="rsa") returned -1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="NTDETECT.COM") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="ntldr") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="MSDOS.SYS") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="IO.SYS") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="boot.ini") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="ntuser.dat") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="desktop.ini") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="CONFIG.SYS") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="RECYCLER") returned -1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="bootmgr") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="programdata") returned -1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="appdata") returned 1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="program files") returned -1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="program files (x86)") returned -1 [0231.803] lstrcmpiW (lpString1="Print.ico", lpString2="microsoft") returned 1 [0231.804] lstrcmpiW (lpString1="Print.ico", lpString2="sophos") returned -1 [0231.804] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1460 [0231.804] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.804] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.804] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.804] lstrcmpiW (lpString1="Print.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.804] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14c8 [0231.805] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.806] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=1150) returned 1 [0231.806] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1408 [0231.806] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1420 [0231.806] SystemFunction036 (in: RandomBuffer=0x28d1408, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1408) returned 1 [0231.806] SystemFunction036 (in: RandomBuffer=0x28d1420, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1420) returned 1 [0231.806] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.806] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.806] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.808] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.809] GetTickCount () returned 0x117a5f7 [0231.809] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d21e0 [0231.809] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.809] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.809] SetLastError (dwErrCode=0x0) [0231.809] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.820] GetLastError () returned 0x0 [0231.820] GetLastError () returned 0x0 [0231.820] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.820] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.820] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.820] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb07e3d8e, dwHighDateTime=0x1d5fd73)) [0231.820] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.820] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.820] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.820] GetProcessHeap () returned 0xa10000 [0231.820] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x47e) returned 0xa3b688 [0231.820] GetSystemDefaultLangID () returned 0xa20409 [0231.820] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.820] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x47e, lpOverlapped=0x0) returned 1 [0231.821] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.821] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x47e, lpOverlapped=0x0) returned 1 [0231.821] GetProcessHeap () returned 0xa10000 [0231.821] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.821] CloseHandle (hObject=0x264) returned 1 [0231.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1420 | out: hHeap=0x28d0000) returned 1 [0231.828] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.828] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.nefilim")) returned 1 [0231.828] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0231.829] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2=".") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="..") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="...") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="windows") returned -1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="rsa") returned -1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="NTDETECT.COM") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="ntldr") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="MSDOS.SYS") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="IO.SYS") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="boot.ini") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="ntuser.dat") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="desktop.ini") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="CONFIG.SYS") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="RECYCLER") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="bootmgr") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="programdata") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="appdata") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="program files") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="program files (x86)") returned 1 [0231.829] lstrcmpiW (lpString1="Rotate1.ico", lpString2="microsoft") returned 1 [0231.830] lstrcmpiW (lpString1="Rotate1.ico", lpString2="sophos") returned -1 [0231.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14c8 [0231.830] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1460 | out: hHeap=0x28d0000) returned 1 [0231.830] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.830] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.830] lstrcmpiW (lpString1="Rotate1.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.830] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.831] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1470 [0231.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1488 [0231.831] SystemFunction036 (in: RandomBuffer=0x28d1470, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1470) returned 1 [0231.831] SystemFunction036 (in: RandomBuffer=0x28d1488, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1488) returned 1 [0231.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.831] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.832] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.832] GetTickCount () returned 0x117a616 [0231.832] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d21e0 [0231.832] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.832] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.832] SetLastError (dwErrCode=0x0) [0231.832] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.835] GetLastError () returned 0x0 [0231.835] GetLastError () returned 0x0 [0231.835] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.835] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.835] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.835] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0805e3a, dwHighDateTime=0x1d5fd73)) [0231.835] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.835] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.835] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.835] GetProcessHeap () returned 0xa10000 [0231.835] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.835] GetSystemDefaultLangID () returned 0xa20409 [0231.836] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.836] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.836] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.836] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.836] GetProcessHeap () returned 0xa10000 [0231.836] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.836] CloseHandle (hObject=0x264) returned 1 [0231.838] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.838] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.838] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.838] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1488 | out: hHeap=0x28d0000) returned 1 [0231.838] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.838] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.nefilim")) returned 1 [0231.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.843] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2=".") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="..") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="...") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="windows") returned -1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="rsa") returned -1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="NTDETECT.COM") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="ntldr") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="MSDOS.SYS") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="IO.SYS") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="boot.ini") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="ntuser.dat") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="desktop.ini") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="CONFIG.SYS") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="RECYCLER") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="bootmgr") returned 1 [0231.843] lstrcmpiW (lpString1="Rotate2.ico", lpString2="programdata") returned 1 [0231.844] lstrcmpiW (lpString1="Rotate2.ico", lpString2="appdata") returned 1 [0231.844] lstrcmpiW (lpString1="Rotate2.ico", lpString2="program files") returned 1 [0231.844] lstrcmpiW (lpString1="Rotate2.ico", lpString2="program files (x86)") returned 1 [0231.844] lstrcmpiW (lpString1="Rotate2.ico", lpString2="microsoft") returned 1 [0231.844] lstrcmpiW (lpString1="Rotate2.ico", lpString2="sophos") returned -1 [0231.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0231.844] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.844] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.844] lstrcmpiW (lpString1="Rotate2.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.845] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.845] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.845] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.845] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.845] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.845] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.846] GetTickCount () returned 0x117a626 [0231.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.846] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.846] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.846] SetLastError (dwErrCode=0x0) [0231.846] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.889] GetLastError () returned 0x0 [0231.889] GetLastError () returned 0x0 [0231.889] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.889] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.889] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.890] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0895b5e, dwHighDateTime=0x1d5fd73)) [0231.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.890] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.890] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.890] GetProcessHeap () returned 0xa10000 [0231.890] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.890] GetSystemDefaultLangID () returned 0xa20409 [0231.890] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.890] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.890] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.890] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.891] GetProcessHeap () returned 0xa10000 [0231.891] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.891] CloseHandle (hObject=0x264) returned 1 [0231.892] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.892] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.892] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.892] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0231.892] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.892] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.nefilim")) returned 1 [0231.893] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.893] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.893] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2=".") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="..") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="...") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="windows") returned -1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="rsa") returned -1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="NTDETECT.COM") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="ntldr") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="MSDOS.SYS") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="IO.SYS") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="boot.ini") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="ntuser.dat") returned 1 [0231.893] lstrcmpiW (lpString1="Rotate3.ico", lpString2="desktop.ini") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="CONFIG.SYS") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="RECYCLER") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="bootmgr") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="programdata") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="appdata") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="program files") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="program files (x86)") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="microsoft") returned 1 [0231.894] lstrcmpiW (lpString1="Rotate3.ico", lpString2="sophos") returned -1 [0231.894] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.894] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.894] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.895] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.895] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.895] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.895] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.895] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.895] lstrcmpiW (lpString1="Rotate3.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.895] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.895] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.895] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.896] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.896] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.896] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.896] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.896] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.896] GetTickCount () returned 0x117a655 [0231.896] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.897] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.897] SetLastError (dwErrCode=0x0) [0231.897] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.900] GetLastError () returned 0x0 [0231.900] GetLastError () returned 0x0 [0231.900] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.900] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.900] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.900] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0895b5e, dwHighDateTime=0x1d5fd73)) [0231.900] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.900] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.900] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.900] GetProcessHeap () returned 0xa10000 [0231.900] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.900] GetSystemDefaultLangID () returned 0xa20409 [0231.900] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.900] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.901] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.901] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.901] GetProcessHeap () returned 0xa10000 [0231.901] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.901] CloseHandle (hObject=0x264) returned 1 [0231.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0231.904] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.904] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.nefilim")) returned 1 [0231.905] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.905] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.905] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2=".") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="..") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="...") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="windows") returned -1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="rsa") returned -1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="NTDETECT.COM") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="ntldr") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="MSDOS.SYS") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="IO.SYS") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="boot.ini") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="ntuser.dat") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="desktop.ini") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="CONFIG.SYS") returned 1 [0231.905] lstrcmpiW (lpString1="Rotate4.ico", lpString2="RECYCLER") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="bootmgr") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="programdata") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="appdata") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="program files") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="program files (x86)") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="microsoft") returned 1 [0231.906] lstrcmpiW (lpString1="Rotate4.ico", lpString2="sophos") returned -1 [0231.906] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.906] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.906] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.906] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.907] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.907] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.907] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.907] lstrcmpiW (lpString1="Rotate4.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.907] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.908] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.908] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.908] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.908] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.908] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.909] GetTickCount () returned 0x117a664 [0231.909] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.909] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.909] SetLastError (dwErrCode=0x0) [0231.909] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.912] GetLastError () returned 0x0 [0231.912] GetLastError () returned 0x0 [0231.912] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.913] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.913] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.913] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb08bf899, dwHighDateTime=0x1d5fd73)) [0231.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.913] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.913] GetProcessHeap () returned 0xa10000 [0231.913] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.913] GetSystemDefaultLangID () returned 0xa20409 [0231.913] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.913] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.913] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.913] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.914] GetProcessHeap () returned 0xa10000 [0231.914] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.914] CloseHandle (hObject=0x264) returned 1 [0231.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0231.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.915] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.nefilim")) returned 1 [0231.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.916] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0231.916] lstrcmpiW (lpString1="Rotate5.ico", lpString2=".") returned 1 [0231.916] lstrcmpiW (lpString1="Rotate5.ico", lpString2="..") returned 1 [0231.916] lstrcmpiW (lpString1="Rotate5.ico", lpString2="...") returned 1 [0231.916] lstrcmpiW (lpString1="Rotate5.ico", lpString2="windows") returned -1 [0231.916] lstrcmpiW (lpString1="Rotate5.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.916] lstrcmpiW (lpString1="Rotate5.ico", lpString2="rsa") returned -1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="NTDETECT.COM") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="ntldr") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="MSDOS.SYS") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="IO.SYS") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="boot.ini") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="ntuser.dat") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="desktop.ini") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="CONFIG.SYS") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="RECYCLER") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="bootmgr") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="programdata") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="appdata") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="program files") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="program files (x86)") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="microsoft") returned 1 [0231.917] lstrcmpiW (lpString1="Rotate5.ico", lpString2="sophos") returned -1 [0231.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.918] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.918] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.918] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.918] lstrcmpiW (lpString1="Rotate5.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.918] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.919] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.919] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.919] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.919] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.919] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.920] GetTickCount () returned 0x117a674 [0231.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.920] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.920] SetLastError (dwErrCode=0x0) [0231.920] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.923] GetLastError () returned 0x0 [0231.923] GetLastError () returned 0x0 [0231.923] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.923] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.923] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.923] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb08e1f89, dwHighDateTime=0x1d5fd73)) [0231.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.923] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.923] GetProcessHeap () returned 0xa10000 [0231.923] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.923] GetSystemDefaultLangID () returned 0xa20409 [0231.923] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.923] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.924] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.924] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.924] GetProcessHeap () returned 0xa10000 [0231.924] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.924] CloseHandle (hObject=0x264) returned 1 [0231.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0231.927] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.927] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.nefilim")) returned 1 [0231.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.928] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0231.928] lstrcmpiW (lpString1="Rotate6.ico", lpString2=".") returned 1 [0231.928] lstrcmpiW (lpString1="Rotate6.ico", lpString2="..") returned 1 [0231.928] lstrcmpiW (lpString1="Rotate6.ico", lpString2="...") returned 1 [0231.928] lstrcmpiW (lpString1="Rotate6.ico", lpString2="windows") returned -1 [0231.928] lstrcmpiW (lpString1="Rotate6.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="rsa") returned -1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="NTDETECT.COM") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="ntldr") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="MSDOS.SYS") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="IO.SYS") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="boot.ini") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="ntuser.dat") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="desktop.ini") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="CONFIG.SYS") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="RECYCLER") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="bootmgr") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="programdata") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="appdata") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="program files") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="program files (x86)") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="microsoft") returned 1 [0231.929] lstrcmpiW (lpString1="Rotate6.ico", lpString2="sophos") returned -1 [0231.929] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.930] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.930] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.930] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.930] lstrcmpiW (lpString1="Rotate6.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.930] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.931] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.931] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.931] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.931] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.931] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.932] GetTickCount () returned 0x117a674 [0231.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.932] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.932] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.932] SetLastError (dwErrCode=0x0) [0231.932] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.970] GetLastError () returned 0x0 [0231.970] GetLastError () returned 0x0 [0231.970] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.970] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.970] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb095a509, dwHighDateTime=0x1d5fd73)) [0231.970] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.971] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.971] GetProcessHeap () returned 0xa10000 [0231.971] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.971] GetSystemDefaultLangID () returned 0xa20409 [0231.971] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.971] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.971] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.971] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.971] GetProcessHeap () returned 0xa10000 [0231.971] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.971] CloseHandle (hObject=0x264) returned 1 [0231.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0231.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.980] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.nefilim")) returned 1 [0231.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.981] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2=".") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="..") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="...") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="windows") returned -1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="rsa") returned -1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="NTDETECT.COM") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="ntldr") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="MSDOS.SYS") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="IO.SYS") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="boot.ini") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="ntuser.dat") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="desktop.ini") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="CONFIG.SYS") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="RECYCLER") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="bootmgr") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="programdata") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="appdata") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="program files") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="program files (x86)") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="microsoft") returned 1 [0231.981] lstrcmpiW (lpString1="Rotate7.ico", lpString2="sophos") returned -1 [0231.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.982] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.982] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.982] lstrcmpiW (lpString1="Rotate7.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.982] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.983] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.983] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.983] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.983] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.983] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.984] GetTickCount () returned 0x117a6b2 [0231.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.984] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.984] SetLastError (dwErrCode=0x0) [0231.984] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.986] GetLastError () returned 0x0 [0231.986] GetLastError () returned 0x0 [0231.986] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.986] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0231.986] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.986] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb097b830, dwHighDateTime=0x1d5fd73)) [0231.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0231.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0231.986] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0231.986] GetProcessHeap () returned 0xa10000 [0231.986] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0231.986] GetSystemDefaultLangID () returned 0xa20409 [0231.986] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.986] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0231.987] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.987] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0231.987] GetProcessHeap () returned 0xa10000 [0231.987] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0231.987] CloseHandle (hObject=0x264) returned 1 [0231.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0231.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0231.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0231.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0231.991] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.nefilim")) returned 1 [0231.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0231.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0231.992] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2=".") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="..") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="...") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="windows") returned -1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="$RECYCLE.BIN") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="rsa") returned -1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="NTDETECT.COM") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="ntldr") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="MSDOS.SYS") returned 1 [0231.993] lstrcmpiW (lpString1="Rotate8.ico", lpString2="IO.SYS") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="boot.ini") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="AUTOEXEC.BAT") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="ntuser.dat") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="desktop.ini") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="CONFIG.SYS") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="RECYCLER") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="BOOTSECT.BAK") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="bootmgr") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="programdata") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="appdata") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="program files") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="program files (x86)") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="microsoft") returned 1 [0231.994] lstrcmpiW (lpString1="Rotate8.ico", lpString2="sophos") returned -1 [0231.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0231.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0231.994] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0231.994] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0231.994] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0231.994] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0231.994] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0231.994] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0231.995] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0231.995] lstrcmpiW (lpString1="Rotate8.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0231.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0231.995] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0231.997] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=894) returned 1 [0231.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0231.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0231.997] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0231.997] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0231.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0231.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0231.997] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0231.997] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0231.998] GetTickCount () returned 0x117a6c2 [0231.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0231.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0231.998] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0231.998] SetLastError (dwErrCode=0x0) [0231.998] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.006] GetLastError () returned 0x0 [0232.006] GetLastError () returned 0x0 [0232.006] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.006] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.007] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.007] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb09a0b02, dwHighDateTime=0x1d5fd73)) [0232.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0232.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0232.007] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.007] GetProcessHeap () returned 0xa10000 [0232.007] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x37e) returned 0xa3b688 [0232.007] GetSystemDefaultLangID () returned 0xa20409 [0232.007] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.007] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x37e, lpOverlapped=0x0) returned 1 [0232.007] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.007] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x37e, lpOverlapped=0x0) returned 1 [0232.007] GetProcessHeap () returned 0xa10000 [0232.007] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.008] CloseHandle (hObject=0x264) returned 1 [0232.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0232.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0232.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0232.046] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.nefilim")) returned 1 [0232.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0232.047] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2=".") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="..") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="...") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="windows") returned -1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="$RECYCLE.BIN") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="rsa") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="NTDETECT.COM") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="ntldr") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="MSDOS.SYS") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="IO.SYS") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="boot.ini") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="AUTOEXEC.BAT") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="ntuser.dat") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="desktop.ini") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="CONFIG.SYS") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="RECYCLER") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="BOOTSECT.BAK") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="bootmgr") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="programdata") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="appdata") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="program files") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="program files (x86)") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="microsoft") returned 1 [0232.047] lstrcmpiW (lpString1="Save.ico", lpString2="sophos") returned -1 [0232.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1470 [0232.047] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.047] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0232.047] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0232.047] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0232.047] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0232.047] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0232.047] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0232.047] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0232.048] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0232.048] lstrcmpiW (lpString1="Save.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0232.048] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0232.048] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=1150) returned 1 [0232.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14c8 [0232.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14e0 [0232.048] SystemFunction036 (in: RandomBuffer=0x28d14c8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14c8) returned 1 [0232.048] SystemFunction036 (in: RandomBuffer=0x28d14e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14e0) returned 1 [0232.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0232.048] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0232.049] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0232.049] GetTickCount () returned 0x117a6f1 [0232.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14f8 [0232.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f8 | out: hHeap=0x28d0000) returned 1 [0232.049] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.049] SetLastError (dwErrCode=0x0) [0232.049] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.051] GetLastError () returned 0x0 [0232.051] GetLastError () returned 0x0 [0232.051] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.051] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.051] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.051] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0a131f1, dwHighDateTime=0x1d5fd73)) [0232.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14f8 [0232.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f8 | out: hHeap=0x28d0000) returned 1 [0232.052] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.052] GetProcessHeap () returned 0xa10000 [0232.052] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x47e) returned 0xa3b688 [0232.052] GetSystemDefaultLangID () returned 0xa20409 [0232.052] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.052] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x47e, lpOverlapped=0x0) returned 1 [0232.052] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.052] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x47e, lpOverlapped=0x0) returned 1 [0232.052] GetProcessHeap () returned 0xa10000 [0232.052] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.052] CloseHandle (hObject=0x264) returned 1 [0232.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0232.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14e0 | out: hHeap=0x28d0000) returned 1 [0232.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14c8 [0232.053] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.nefilim")) returned 1 [0232.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0232.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.054] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2=".") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="..") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="...") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="windows") returned -1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="$RECYCLE.BIN") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="rsa") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="NTDETECT.COM") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="ntldr") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="MSDOS.SYS") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="IO.SYS") returned 1 [0232.054] lstrcmpiW (lpString1="Setup.ico", lpString2="boot.ini") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="AUTOEXEC.BAT") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="ntuser.dat") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="desktop.ini") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="CONFIG.SYS") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="RECYCLER") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="BOOTSECT.BAK") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="bootmgr") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="programdata") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="appdata") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="program files") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="program files (x86)") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="microsoft") returned 1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="sophos") returned -1 [0232.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0232.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0232.055] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0232.055] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0232.055] lstrcmpiW (lpString1="Setup.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0232.056] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0232.056] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=36710) returned 1 [0232.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0232.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0232.056] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0232.056] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0232.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0232.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0232.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0232.057] GetTickCount () returned 0x117a6f1 [0232.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0232.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0232.057] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x8f66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.057] SetLastError (dwErrCode=0x0) [0232.057] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.059] GetLastError () returned 0x0 [0232.059] GetLastError () returned 0x0 [0232.059] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9066, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.059] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.059] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9166, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.060] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0a394cf, dwHighDateTime=0x1d5fd73)) [0232.060] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0232.060] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0232.060] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.060] GetProcessHeap () returned 0xa10000 [0232.060] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x8f66) returned 0xa3b688 [0232.060] GetSystemDefaultLangID () returned 0xa20409 [0232.060] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.060] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x8f66, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x8f66, lpOverlapped=0x0) returned 1 [0232.063] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.063] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x8f66, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x8f66, lpOverlapped=0x0) returned 1 [0232.064] GetProcessHeap () returned 0xa10000 [0232.064] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.065] CloseHandle (hObject=0x264) returned 1 [0232.067] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.067] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.067] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0232.067] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0232.067] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0232.067] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.nefilim")) returned 1 [0232.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0232.068] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2=".") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="..") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="...") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="windows") returned -1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="$RECYCLE.BIN") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="rsa") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="NTDETECT.COM") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="ntldr") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="MSDOS.SYS") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="IO.SYS") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="boot.ini") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="AUTOEXEC.BAT") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="ntuser.dat") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="desktop.ini") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="CONFIG.SYS") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="RECYCLER") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="BOOTSECT.BAK") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="bootmgr") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="programdata") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="appdata") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="program files") returned 1 [0232.068] lstrcmpiW (lpString1="stop.ico", lpString2="program files (x86)") returned 1 [0232.069] lstrcmpiW (lpString1="stop.ico", lpString2="microsoft") returned 1 [0232.069] lstrcmpiW (lpString1="stop.ico", lpString2="sophos") returned 1 [0232.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1470 [0232.069] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.069] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0232.069] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0232.069] lstrcmpiW (lpString1="stop.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0232.069] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0232.070] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=10134) returned 1 [0232.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14c8 [0232.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14e0 [0232.070] SystemFunction036 (in: RandomBuffer=0x28d14c8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14c8) returned 1 [0232.070] SystemFunction036 (in: RandomBuffer=0x28d14e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14e0) returned 1 [0232.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.070] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0232.070] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0232.072] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0232.072] GetTickCount () returned 0x117a700 [0232.072] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14f8 [0232.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f8 | out: hHeap=0x28d0000) returned 1 [0232.072] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2796, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.072] SetLastError (dwErrCode=0x0) [0232.072] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.075] GetLastError () returned 0x0 [0232.075] GetLastError () returned 0x0 [0232.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2896, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.075] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2996, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.075] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0a5f87d, dwHighDateTime=0x1d5fd73)) [0232.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14f8 [0232.075] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f8 | out: hHeap=0x28d0000) returned 1 [0232.075] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.075] GetProcessHeap () returned 0xa10000 [0232.075] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2796) returned 0xa3b688 [0232.075] GetSystemDefaultLangID () returned 0xa20409 [0232.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.075] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x2796, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x2796, lpOverlapped=0x0) returned 1 [0232.077] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.077] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x2796, lpOverlapped=0x0) returned 1 [0232.077] GetProcessHeap () returned 0xa10000 [0232.077] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.077] CloseHandle (hObject=0x264) returned 1 [0232.087] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.087] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.087] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0232.087] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14e0 | out: hHeap=0x28d0000) returned 1 [0232.087] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14c8 [0232.087] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.nefilim")) returned 1 [0232.088] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0232.088] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.088] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2=".") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="..") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="...") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="windows") returned -1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="$RECYCLE.BIN") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="rsa") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="NTDETECT.COM") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="ntldr") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="MSDOS.SYS") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="IO.SYS") returned 1 [0232.088] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="boot.ini") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="AUTOEXEC.BAT") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="ntuser.dat") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="desktop.ini") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="CONFIG.SYS") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="RECYCLER") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="BOOTSECT.BAK") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="bootmgr") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="programdata") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="appdata") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="program files") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="program files (x86)") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="microsoft") returned 1 [0232.089] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="sophos") returned 1 [0232.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0232.123] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0232.123] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0232.123] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0232.124] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0232.124] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0232.124] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0232.124] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0232.124] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0232.124] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0232.124] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0232.124] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0232.124] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=1150) returned 1 [0232.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0232.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0232.124] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0232.124] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0232.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0232.125] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0232.125] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0232.125] GetTickCount () returned 0x117a73f [0232.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0232.125] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0232.125] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.125] SetLastError (dwErrCode=0x0) [0232.125] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.222] GetLastError () returned 0x0 [0232.222] GetLastError () returned 0x0 [0232.222] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.222] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.222] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.222] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0bb6c9d, dwHighDateTime=0x1d5fd73)) [0232.222] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0232.222] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0232.222] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.222] GetProcessHeap () returned 0xa10000 [0232.223] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x47e) returned 0xa3b688 [0232.223] GetSystemDefaultLangID () returned 0xa20409 [0232.223] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.223] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x47e, lpOverlapped=0x0) returned 1 [0232.223] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.223] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x47e, lpOverlapped=0x0) returned 1 [0232.223] GetProcessHeap () returned 0xa10000 [0232.223] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.223] CloseHandle (hObject=0x264) returned 1 [0232.227] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.227] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.227] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0232.227] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0232.227] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0232.228] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.nefilim")) returned 1 [0232.228] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0232.229] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2=".") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="..") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="...") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="windows") returned -1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="$RECYCLE.BIN") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="rsa") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="NTDETECT.COM") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="ntldr") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="MSDOS.SYS") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="IO.SYS") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="boot.ini") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="AUTOEXEC.BAT") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="ntuser.dat") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="desktop.ini") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="CONFIG.SYS") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="RECYCLER") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="BOOTSECT.BAK") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="bootmgr") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="programdata") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="appdata") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="program files") returned 1 [0232.229] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="program files (x86)") returned 1 [0232.230] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="microsoft") returned 1 [0232.230] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="sophos") returned 1 [0232.230] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1470 [0232.230] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.230] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0232.230] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0232.231] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0232.231] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0232.231] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1408 [0232.231] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0232.231] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=1150) returned 1 [0232.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d8 [0232.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0232.231] SystemFunction036 (in: RandomBuffer=0x28d14d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d8) returned 1 [0232.231] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0232.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0232.231] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0232.232] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0232.232] GetTickCount () returned 0x117a7ac [0232.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1508 [0232.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0232.232] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.233] SetLastError (dwErrCode=0x0) [0232.233] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.244] GetLastError () returned 0x0 [0232.244] GetLastError () returned 0x0 [0232.244] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.244] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.245] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.245] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0bdcfc5, dwHighDateTime=0x1d5fd73)) [0232.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d21e0 [0232.245] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0232.245] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.245] GetProcessHeap () returned 0xa10000 [0232.245] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x47e) returned 0xa3b688 [0232.245] GetSystemDefaultLangID () returned 0xa20409 [0232.245] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.245] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x47e, lpOverlapped=0x0) returned 1 [0232.246] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.246] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x47e, lpOverlapped=0x0) returned 1 [0232.247] GetProcessHeap () returned 0xa10000 [0232.247] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.247] CloseHandle (hObject=0x264) returned 1 [0232.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0232.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0232.253] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1fd0 [0232.253] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.nefilim")) returned 1 [0232.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.254] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2=".") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="..") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="...") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="windows") returned -1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="$RECYCLE.BIN") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="rsa") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="NTDETECT.COM") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="ntldr") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="MSDOS.SYS") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="IO.SYS") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="boot.ini") returned 1 [0232.254] lstrcmpiW (lpString1="warn.ico", lpString2="AUTOEXEC.BAT") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="ntuser.dat") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="desktop.ini") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="CONFIG.SYS") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="RECYCLER") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="BOOTSECT.BAK") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="bootmgr") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="programdata") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="appdata") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="program files") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="program files (x86)") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="microsoft") returned 1 [0232.255] lstrcmpiW (lpString1="warn.ico", lpString2="sophos") returned 1 [0232.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1408 [0232.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1470 | out: hHeap=0x28d0000) returned 1 [0232.255] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0232.255] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0232.256] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0232.256] lstrcmpiW (lpString1="warn.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1460 [0232.256] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0232.256] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=10134) returned 1 [0232.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14b8 [0232.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14d0 [0232.256] SystemFunction036 (in: RandomBuffer=0x28d14b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14b8) returned 1 [0232.256] SystemFunction036 (in: RandomBuffer=0x28d14d0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14d0) returned 1 [0232.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0232.257] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0232.257] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0232.257] GetTickCount () returned 0x117a7bc [0232.258] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14e8 [0232.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14e8 | out: hHeap=0x28d0000) returned 1 [0232.258] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2796, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.258] SetLastError (dwErrCode=0x0) [0232.258] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.263] GetLastError () returned 0x0 [0232.263] GetLastError () returned 0x0 [0232.263] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2896, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.263] WriteFile (in: hFile=0x264, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0232.263] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2996, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.263] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xb0c29264, dwHighDateTime=0x1d5fd73)) [0232.263] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14e8 [0232.263] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14e8 | out: hHeap=0x28d0000) returned 1 [0232.263] WriteFile (in: hFile=0x264, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0232.263] GetProcessHeap () returned 0xa10000 [0232.263] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2796) returned 0xa3b688 [0232.263] GetSystemDefaultLangID () returned 0xa20409 [0232.263] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.263] ReadFile (in: hFile=0x264, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x2796, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26eef8c*=0x2796, lpOverlapped=0x0) returned 1 [0232.265] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.265] WriteFile (in: hFile=0x264, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26eef80*=0x2796, lpOverlapped=0x0) returned 1 [0232.266] GetProcessHeap () returned 0xa10000 [0232.266] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.266] CloseHandle (hObject=0x264) returned 1 [0232.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0232.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d0 | out: hHeap=0x28d0000) returned 1 [0232.267] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d14b8 [0232.267] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.nefilim")) returned 1 [0232.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0232.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1460 | out: hHeap=0x28d0000) returned 1 [0232.268] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x28d1330, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0232.268] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0232.269] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0232.269] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0232.269] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0232.269] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2=".") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="..") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="...") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="windows") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="$RECYCLE.BIN") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="rsa") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="NTDETECT.COM") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="ntldr") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="MSDOS.SYS") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="IO.SYS") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="boot.ini") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="ntuser.dat") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="desktop.ini") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="CONFIG.SYS") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="RECYCLER") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="BOOTSECT.BAK") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="bootmgr") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="programdata") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="appdata") returned 1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="program files") returned -1 [0232.269] lstrcmpiW (lpString1="header.bmp", lpString2="program files (x86)") returned -1 [0232.270] lstrcmpiW (lpString1="header.bmp", lpString2="microsoft") returned -1 [0232.270] lstrcmpiW (lpString1="header.bmp", lpString2="sophos") returned -1 [0232.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d13c0 [0232.270] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0232.270] PathFindExtensionW (pszPath="header.bmp") returned=".bmp" [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0232.270] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0232.270] lstrcmpiW (lpString1="header.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0232.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0232.271] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0232.294] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=3628) returned 1 [0232.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1388 [0232.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13a0 [0232.294] SystemFunction036 (in: RandomBuffer=0x28d1388, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1388) returned 1 [0232.294] SystemFunction036 (in: RandomBuffer=0x28d13a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13a0) returned 1 [0232.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1418 [0232.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.294] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1418*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1418*, pdwDataLen=0x26ef248*=0x100) returned 1 [0232.296] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0232.299] GetTickCount () returned 0x117a7eb [0232.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0232.299] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.299] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.299] SetLastError (dwErrCode=0x0) [0232.299] WriteFile (in: hFile=0x260, lpBuffer=0x28d1418*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1418*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0232.321] GetLastError () returned 0x0 [0232.321] GetLastError () returned 0x0 [0232.321] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.321] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0232.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x102c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.322] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xb0cbe240, dwHighDateTime=0x1d5fd73)) [0232.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0232.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.322] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0232.322] GetProcessHeap () returned 0xa10000 [0232.323] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe2c) returned 0xa39e78 [0232.323] GetSystemDefaultLangID () returned 0xa20409 [0232.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.323] ReadFile (in: hFile=0x260, lpBuffer=0xa39e78, nNumberOfBytesToRead=0xe2c, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa39e78*, lpNumberOfBytesRead=0x26ef2ac*=0xe2c, lpOverlapped=0x0) returned 1 [0232.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.323] WriteFile (in: hFile=0x260, lpBuffer=0xa39e78*, nNumberOfBytesToWrite=0xe2c, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa39e78*, lpNumberOfBytesWritten=0x26ef2a0*=0xe2c, lpOverlapped=0x0) returned 1 [0232.325] GetProcessHeap () returned 0xa10000 [0232.325] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa39e78 | out: hHeap=0xa10000) returned 1 [0232.325] CloseHandle (hObject=0x260) returned 1 [0232.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1418 | out: hHeap=0x28d0000) returned 1 [0232.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0232.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0232.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13a0 | out: hHeap=0x28d0000) returned 1 [0232.328] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1418 [0232.328] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\header.bmp.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\header.bmp.nefilim")) returned 1 [0232.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1418 | out: hHeap=0x28d0000) returned 1 [0232.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0232.329] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2=".") returned 1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="..") returned 1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="...") returned 1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="windows") returned -1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="$RECYCLE.BIN") returned 1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="rsa") returned -1 [0232.329] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="NTDETECT.COM") returned -1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="ntldr") returned -1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="MSDOS.SYS") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="IO.SYS") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="boot.ini") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="AUTOEXEC.BAT") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="ntuser.dat") returned -1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="desktop.ini") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="CONFIG.SYS") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="RECYCLER") returned -1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="BOOTSECT.BAK") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="bootmgr") returned 1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="programdata") returned -1 [0232.330] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="appdata") returned 1 [0232.331] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="program files") returned -1 [0232.331] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="program files (x86)") returned -1 [0232.331] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="microsoft") returned 1 [0232.331] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="sophos") returned -1 [0232.331] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0232.331] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13c0 | out: hHeap=0x28d0000) returned 1 [0232.331] PathFindExtensionW (pszPath="netfx_Core.mzz") returned=".mzz" [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".exe") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".log") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".cab") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".cmd") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".com") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".cpl") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".ini") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".dll") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".url") returned -1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".ttf") returned -1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".mp3") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".pif") returned -1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".mp4") returned 1 [0232.331] lstrcmpiW (lpString1=".mzz", lpString2=".NEFILIM") returned -1 [0232.332] lstrcmpiW (lpString1=".mzz", lpString2=".msi") returned 1 [0232.332] lstrcmpiW (lpString1=".mzz", lpString2=".lnk") returned 1 [0232.332] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0232.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0232.332] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0232.333] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=181483595) returned 1 [0232.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13e0 [0232.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f8 [0232.333] SystemFunction036 (in: RandomBuffer=0x28d13e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13e0) returned 1 [0232.333] SystemFunction036 (in: RandomBuffer=0x28d13f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f8) returned 1 [0232.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1410 [0232.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0232.334] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x100) returned 1 [0232.338] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0232.345] GetTickCount () returned 0x117a81a [0232.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0232.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.345] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xad1384b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.345] SetLastError (dwErrCode=0x0) [0232.345] WriteFile (in: hFile=0x260, lpBuffer=0x28d1410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1410*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0232.562] GetLastError () returned 0x0 [0232.562] GetLastError () returned 0x0 [0232.562] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xad1394b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.562] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0232.563] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xad13a4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.563] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xb0efd622, dwHighDateTime=0x1d5fd73)) [0232.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0232.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0232.563] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0232.563] GetProcessHeap () returned 0xa10000 [0232.563] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.564] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.657] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.658] GetProcessHeap () returned 0xa10000 [0232.658] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.658] GetProcessHeap () returned 0xa10000 [0232.658] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.659] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.671] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.672] GetProcessHeap () returned 0xa10000 [0232.672] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.672] GetProcessHeap () returned 0xa10000 [0232.672] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.672] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.672] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.686] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.686] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.687] GetProcessHeap () returned 0xa10000 [0232.687] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.687] GetProcessHeap () returned 0xa10000 [0232.687] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.687] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.687] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.697] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.697] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.698] GetProcessHeap () returned 0xa10000 [0232.698] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.698] GetProcessHeap () returned 0xa10000 [0232.698] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.698] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.698] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.761] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.761] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.763] GetProcessHeap () returned 0xa10000 [0232.763] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.763] GetProcessHeap () returned 0xa10000 [0232.763] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.763] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.774] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.774] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.775] GetProcessHeap () returned 0xa10000 [0232.775] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.775] GetProcessHeap () returned 0xa10000 [0232.775] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.775] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.775] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.785] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.785] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.786] GetProcessHeap () returned 0xa10000 [0232.786] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.786] GetProcessHeap () returned 0xa10000 [0232.786] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.786] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.786] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.837] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.837] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.838] GetProcessHeap () returned 0xa10000 [0232.838] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.838] GetProcessHeap () returned 0xa10000 [0232.838] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.838] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.838] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.901] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.902] GetProcessHeap () returned 0xa10000 [0232.902] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.902] GetProcessHeap () returned 0xa10000 [0232.902] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.902] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.903] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.914] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.914] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.915] GetProcessHeap () returned 0xa10000 [0232.915] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.915] GetProcessHeap () returned 0xa10000 [0232.915] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.915] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.962] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.962] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.962] GetProcessHeap () returned 0xa10000 [0232.962] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.963] GetProcessHeap () returned 0xa10000 [0232.963] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.963] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.971] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.972] GetProcessHeap () returned 0xa10000 [0232.972] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.972] GetProcessHeap () returned 0xa10000 [0232.972] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.972] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.972] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0232.978] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.979] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0232.979] GetProcessHeap () returned 0xa10000 [0232.979] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0232.979] GetProcessHeap () returned 0xa10000 [0232.979] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0232.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0232.979] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.067] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.067] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.067] GetProcessHeap () returned 0xa10000 [0233.067] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.067] GetProcessHeap () returned 0xa10000 [0233.067] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.068] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.068] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.075] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.075] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.076] GetProcessHeap () returned 0xa10000 [0233.076] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.076] GetProcessHeap () returned 0xa10000 [0233.076] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.076] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.134] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.134] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.135] GetProcessHeap () returned 0xa10000 [0233.135] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.135] GetProcessHeap () returned 0xa10000 [0233.135] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.135] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.135] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.143] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.144] GetProcessHeap () returned 0xa10000 [0233.144] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.144] GetProcessHeap () returned 0xa10000 [0233.144] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.144] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.144] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.197] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.197] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.197] GetProcessHeap () returned 0xa10000 [0233.197] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.197] GetProcessHeap () returned 0xa10000 [0233.197] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.197] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.198] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.245] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.245] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.245] GetProcessHeap () returned 0xa10000 [0233.245] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.245] GetProcessHeap () returned 0xa10000 [0233.245] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.246] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.246] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.255] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.255] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.256] GetProcessHeap () returned 0xa10000 [0233.256] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.256] GetProcessHeap () returned 0xa10000 [0233.256] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.256] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.256] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.263] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.263] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.264] GetProcessHeap () returned 0xa10000 [0233.264] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.264] GetProcessHeap () returned 0xa10000 [0233.264] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.264] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.264] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.363] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.364] GetProcessHeap () returned 0xa10000 [0233.364] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.364] GetProcessHeap () returned 0xa10000 [0233.364] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.364] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.364] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.372] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.372] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.373] GetProcessHeap () returned 0xa10000 [0233.373] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.373] GetProcessHeap () returned 0xa10000 [0233.373] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.373] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.373] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0233.382] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.382] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0233.383] GetProcessHeap () returned 0xa10000 [0233.383] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0233.383] GetProcessHeap () returned 0xa10000 [0233.383] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0233.383] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0233.383] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.322] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.322] GetProcessHeap () returned 0xa10000 [0234.322] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.323] GetProcessHeap () returned 0xa10000 [0234.323] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.323] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.382] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.382] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.383] GetProcessHeap () returned 0xa10000 [0234.384] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.384] GetProcessHeap () returned 0xa10000 [0234.384] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.384] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.384] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.394] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.394] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.394] GetProcessHeap () returned 0xa10000 [0234.394] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.394] GetProcessHeap () returned 0xa10000 [0234.394] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.394] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.395] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.572] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.573] GetProcessHeap () returned 0xa10000 [0234.573] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.573] GetProcessHeap () returned 0xa10000 [0234.573] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.573] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.573] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.597] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.597] GetProcessHeap () returned 0xa10000 [0234.598] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.598] GetProcessHeap () returned 0xa10000 [0234.598] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.598] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.598] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.669] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.669] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.671] GetProcessHeap () returned 0xa10000 [0234.671] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.671] GetProcessHeap () returned 0xa10000 [0234.671] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.671] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.726] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.726] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.727] GetProcessHeap () returned 0xa10000 [0234.727] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.727] GetProcessHeap () returned 0xa10000 [0234.727] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.727] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.727] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.734] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.735] GetProcessHeap () returned 0xa10000 [0234.735] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.735] GetProcessHeap () returned 0xa10000 [0234.735] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.735] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.743] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.744] GetProcessHeap () returned 0xa10000 [0234.744] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.744] GetProcessHeap () returned 0xa10000 [0234.744] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.744] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.752] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.752] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.753] GetProcessHeap () returned 0xa10000 [0234.753] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.753] GetProcessHeap () returned 0xa10000 [0234.753] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.753] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.753] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.805] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.805] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.806] GetProcessHeap () returned 0xa10000 [0234.806] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.806] GetProcessHeap () returned 0xa10000 [0234.806] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.806] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.806] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.815] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.815] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.815] GetProcessHeap () returned 0xa10000 [0234.815] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.815] GetProcessHeap () returned 0xa10000 [0234.815] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.815] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.816] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.824] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.824] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.824] GetProcessHeap () returned 0xa10000 [0234.825] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.825] GetProcessHeap () returned 0xa10000 [0234.825] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.825] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.832] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.833] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.833] GetProcessHeap () returned 0xa10000 [0234.833] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.833] GetProcessHeap () returned 0xa10000 [0234.833] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.833] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.833] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.884] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.885] GetProcessHeap () returned 0xa10000 [0234.885] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.885] GetProcessHeap () returned 0xa10000 [0234.885] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.885] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.885] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.897] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.897] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.897] GetProcessHeap () returned 0xa10000 [0234.898] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.898] GetProcessHeap () returned 0xa10000 [0234.898] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.898] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.898] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.907] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.912] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.913] GetProcessHeap () returned 0xa10000 [0234.913] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.913] GetProcessHeap () returned 0xa10000 [0234.913] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.913] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.913] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.921] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.922] GetProcessHeap () returned 0xa10000 [0234.922] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.922] GetProcessHeap () returned 0xa10000 [0234.922] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.922] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.922] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.984] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.984] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.984] GetProcessHeap () returned 0xa10000 [0234.984] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.984] GetProcessHeap () returned 0xa10000 [0234.984] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.984] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.984] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0234.993] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.994] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0234.994] GetProcessHeap () returned 0xa10000 [0234.994] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0234.994] GetProcessHeap () returned 0xa10000 [0234.994] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0234.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.994] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.003] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.003] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.004] GetProcessHeap () returned 0xa10000 [0235.004] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.004] GetProcessHeap () returned 0xa10000 [0235.004] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.004] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.004] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.013] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.014] GetProcessHeap () returned 0xa10000 [0235.014] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.014] GetProcessHeap () returned 0xa10000 [0235.014] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.014] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.014] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.115] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.115] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.116] GetProcessHeap () returned 0xa10000 [0235.116] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.116] GetProcessHeap () returned 0xa10000 [0235.116] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.116] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.116] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.126] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.126] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.127] GetProcessHeap () returned 0xa10000 [0235.127] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.127] GetProcessHeap () returned 0xa10000 [0235.127] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.127] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.127] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.136] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.136] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.137] GetProcessHeap () returned 0xa10000 [0235.137] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.137] GetProcessHeap () returned 0xa10000 [0235.137] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.137] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.137] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.200] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.201] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.201] GetProcessHeap () returned 0xa10000 [0235.201] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.201] GetProcessHeap () returned 0xa10000 [0235.201] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.201] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.201] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.218] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.219] GetProcessHeap () returned 0xa10000 [0235.219] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.219] GetProcessHeap () returned 0xa10000 [0235.219] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.219] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.220] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.230] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.230] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.231] GetProcessHeap () returned 0xa10000 [0235.231] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.231] GetProcessHeap () returned 0xa10000 [0235.231] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.231] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.275] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.275] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.276] GetProcessHeap () returned 0xa10000 [0235.276] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.276] GetProcessHeap () returned 0xa10000 [0235.276] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.276] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.276] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.285] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.285] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.286] GetProcessHeap () returned 0xa10000 [0235.286] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.286] GetProcessHeap () returned 0xa10000 [0235.286] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.286] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.286] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.296] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.296] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.297] GetProcessHeap () returned 0xa10000 [0235.297] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.297] GetProcessHeap () returned 0xa10000 [0235.297] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.297] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.297] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.415] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.415] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.416] GetProcessHeap () returned 0xa10000 [0235.416] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.416] GetProcessHeap () returned 0xa10000 [0235.416] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.416] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.416] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.441] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.441] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.442] GetProcessHeap () returned 0xa10000 [0235.442] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.442] GetProcessHeap () returned 0xa10000 [0235.442] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.442] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.442] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.451] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.451] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.452] GetProcessHeap () returned 0xa10000 [0235.452] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.452] GetProcessHeap () returned 0xa10000 [0235.452] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.452] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.452] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.556] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.556] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.557] GetProcessHeap () returned 0xa10000 [0235.557] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.557] GetProcessHeap () returned 0xa10000 [0235.557] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.557] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.557] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.655] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.655] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.655] GetProcessHeap () returned 0xa10000 [0235.655] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.655] GetProcessHeap () returned 0xa10000 [0235.655] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.655] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.656] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.665] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.665] GetProcessHeap () returned 0xa10000 [0235.665] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.665] GetProcessHeap () returned 0xa10000 [0235.665] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.666] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.675] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.675] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.676] GetProcessHeap () returned 0xa10000 [0235.676] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.676] GetProcessHeap () returned 0xa10000 [0235.676] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.676] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.685] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.686] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.686] GetProcessHeap () returned 0xa10000 [0235.686] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.686] GetProcessHeap () returned 0xa10000 [0235.686] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.686] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.686] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.797] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.797] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.797] GetProcessHeap () returned 0xa10000 [0235.797] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.798] GetProcessHeap () returned 0xa10000 [0235.798] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.798] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.798] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.807] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.807] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.808] GetProcessHeap () returned 0xa10000 [0235.808] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.808] GetProcessHeap () returned 0xa10000 [0235.808] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.808] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.808] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.818] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.818] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.819] GetProcessHeap () returned 0xa10000 [0235.819] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.819] GetProcessHeap () returned 0xa10000 [0235.819] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.819] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.819] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0235.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.948] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0235.948] GetProcessHeap () returned 0xa10000 [0235.948] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0235.948] GetProcessHeap () returned 0xa10000 [0235.948] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0235.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0235.949] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.011] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.012] GetProcessHeap () returned 0xa10000 [0236.013] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.013] GetProcessHeap () returned 0xa10000 [0236.013] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.013] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.024] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.024] GetProcessHeap () returned 0xa10000 [0236.025] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.025] GetProcessHeap () returned 0xa10000 [0236.025] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.025] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.025] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.147] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.147] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.148] GetProcessHeap () returned 0xa10000 [0236.148] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.148] GetProcessHeap () returned 0xa10000 [0236.148] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.148] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.148] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.157] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.157] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.158] GetProcessHeap () returned 0xa10000 [0236.158] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.158] GetProcessHeap () returned 0xa10000 [0236.158] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.158] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.304] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.304] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.305] GetProcessHeap () returned 0xa10000 [0236.305] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.305] GetProcessHeap () returned 0xa10000 [0236.305] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.305] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.305] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.513] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.513] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.513] GetProcessHeap () returned 0xa10000 [0236.513] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.513] GetProcessHeap () returned 0xa10000 [0236.513] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.513] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.513] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.529] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.529] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.530] GetProcessHeap () returned 0xa10000 [0236.530] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.530] GetProcessHeap () returned 0xa10000 [0236.530] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.530] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.530] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.540] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.540] GetProcessHeap () returned 0xa10000 [0236.540] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.540] GetProcessHeap () returned 0xa10000 [0236.540] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.541] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.541] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.648] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.648] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.649] GetProcessHeap () returned 0xa10000 [0236.649] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.650] GetProcessHeap () returned 0xa10000 [0236.650] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.650] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.661] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.661] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.661] GetProcessHeap () returned 0xa10000 [0236.661] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.662] GetProcessHeap () returned 0xa10000 [0236.662] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.662] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.662] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.671] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.673] GetProcessHeap () returned 0xa10000 [0236.673] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.674] GetProcessHeap () returned 0xa10000 [0236.674] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.674] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.674] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.684] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.684] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.685] GetProcessHeap () returned 0xa10000 [0236.685] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.685] GetProcessHeap () returned 0xa10000 [0236.685] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.685] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.685] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.787] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.787] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.788] GetProcessHeap () returned 0xa10000 [0236.788] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.788] GetProcessHeap () returned 0xa10000 [0236.788] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.788] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.788] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.915] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.915] GetProcessHeap () returned 0xa10000 [0236.915] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.915] GetProcessHeap () returned 0xa10000 [0236.915] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.915] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.923] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.924] GetProcessHeap () returned 0xa10000 [0236.924] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.924] GetProcessHeap () returned 0xa10000 [0236.924] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.924] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0236.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.933] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0236.933] GetProcessHeap () returned 0xa10000 [0236.933] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0236.933] GetProcessHeap () returned 0xa10000 [0236.933] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0236.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.934] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.040] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.041] GetProcessHeap () returned 0xa10000 [0237.041] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.041] GetProcessHeap () returned 0xa10000 [0237.041] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.041] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.041] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.058] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.058] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.059] GetProcessHeap () returned 0xa10000 [0237.059] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.059] GetProcessHeap () returned 0xa10000 [0237.059] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.059] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.069] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.069] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.070] GetProcessHeap () returned 0xa10000 [0237.070] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.070] GetProcessHeap () returned 0xa10000 [0237.070] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.070] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.070] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.165] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.166] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.166] GetProcessHeap () returned 0xa10000 [0237.166] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.166] GetProcessHeap () returned 0xa10000 [0237.166] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.166] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.167] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.178] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.178] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.179] GetProcessHeap () returned 0xa10000 [0237.179] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.179] GetProcessHeap () returned 0xa10000 [0237.179] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.179] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.359] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.359] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.547] GetProcessHeap () returned 0xa10000 [0237.547] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.547] GetProcessHeap () returned 0xa10000 [0237.547] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.547] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.547] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.557] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.557] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.557] GetProcessHeap () returned 0xa10000 [0237.557] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.557] GetProcessHeap () returned 0xa10000 [0237.557] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.558] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.567] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.567] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.568] GetProcessHeap () returned 0xa10000 [0237.568] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.568] GetProcessHeap () returned 0xa10000 [0237.568] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.568] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.568] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.579] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.580] GetProcessHeap () returned 0xa10000 [0237.580] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.580] GetProcessHeap () returned 0xa10000 [0237.580] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.580] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.580] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.679] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.679] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.680] GetProcessHeap () returned 0xa10000 [0237.680] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.680] GetProcessHeap () returned 0xa10000 [0237.680] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.681] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.681] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.689] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.690] GetProcessHeap () returned 0xa10000 [0237.690] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.690] GetProcessHeap () returned 0xa10000 [0237.690] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.690] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.690] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.699] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.699] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.699] GetProcessHeap () returned 0xa10000 [0237.700] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.700] GetProcessHeap () returned 0xa10000 [0237.700] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.700] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.700] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.709] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.709] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.709] GetProcessHeap () returned 0xa10000 [0237.709] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.710] GetProcessHeap () returned 0xa10000 [0237.710] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.710] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.710] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.828] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.828] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.829] GetProcessHeap () returned 0xa10000 [0237.829] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.829] GetProcessHeap () returned 0xa10000 [0237.829] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.830] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.830] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.838] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.838] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.839] GetProcessHeap () returned 0xa10000 [0237.839] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.839] GetProcessHeap () returned 0xa10000 [0237.839] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.839] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.839] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.848] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.849] GetProcessHeap () returned 0xa10000 [0237.849] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.849] GetProcessHeap () returned 0xa10000 [0237.849] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.849] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.849] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.945] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.945] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.946] GetProcessHeap () returned 0xa10000 [0237.946] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.946] GetProcessHeap () returned 0xa10000 [0237.946] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.946] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0237.959] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.959] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0237.960] GetProcessHeap () returned 0xa10000 [0237.960] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0237.960] GetProcessHeap () returned 0xa10000 [0237.960] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0237.960] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.960] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.071] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.072] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.072] GetProcessHeap () returned 0xa10000 [0238.072] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.072] GetProcessHeap () returned 0xa10000 [0238.072] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.073] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.167] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.167] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.168] GetProcessHeap () returned 0xa10000 [0238.168] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.168] GetProcessHeap () returned 0xa10000 [0238.168] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.168] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.168] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.179] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.180] GetProcessHeap () returned 0xa10000 [0238.180] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.180] GetProcessHeap () returned 0xa10000 [0238.180] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.180] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.180] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.192] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.192] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.192] GetProcessHeap () returned 0xa10000 [0238.193] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.193] GetProcessHeap () returned 0xa10000 [0238.193] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.193] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.193] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.301] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.301] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.302] GetProcessHeap () returned 0xa10000 [0238.302] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.302] GetProcessHeap () returned 0xa10000 [0238.302] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.302] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.302] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.310] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.310] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.310] GetProcessHeap () returned 0xa10000 [0238.310] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.310] GetProcessHeap () returned 0xa10000 [0238.310] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.310] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.311] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.319] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.319] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.320] GetProcessHeap () returned 0xa10000 [0238.320] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.320] GetProcessHeap () returned 0xa10000 [0238.320] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.320] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.320] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.418] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.419] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.419] GetProcessHeap () returned 0xa10000 [0238.419] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.419] GetProcessHeap () returned 0xa10000 [0238.419] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.419] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.420] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.601] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.601] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.602] GetProcessHeap () returned 0xa10000 [0238.602] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.603] GetProcessHeap () returned 0xa10000 [0238.603] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.603] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.613] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.614] GetProcessHeap () returned 0xa10000 [0238.614] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.614] GetProcessHeap () returned 0xa10000 [0238.614] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.614] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.614] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.721] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.721] GetProcessHeap () returned 0xa10000 [0238.722] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.722] GetProcessHeap () returned 0xa10000 [0238.722] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.722] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.722] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.732] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.732] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.733] GetProcessHeap () returned 0xa10000 [0238.733] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.733] GetProcessHeap () returned 0xa10000 [0238.733] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.733] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.733] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0238.867] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.868] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0238.869] GetProcessHeap () returned 0xa10000 [0238.869] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0238.869] GetProcessHeap () returned 0xa10000 [0238.869] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0238.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.869] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.008] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.008] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.009] GetProcessHeap () returned 0xa10000 [0239.009] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.009] GetProcessHeap () returned 0xa10000 [0239.009] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.009] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.018] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.019] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.019] GetProcessHeap () returned 0xa10000 [0239.019] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.019] GetProcessHeap () returned 0xa10000 [0239.019] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.019] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.020] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.033] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.033] GetProcessHeap () returned 0xa10000 [0239.034] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.034] GetProcessHeap () returned 0xa10000 [0239.034] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.034] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.034] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.147] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.147] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.149] GetProcessHeap () returned 0xa10000 [0239.149] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.149] GetProcessHeap () returned 0xa10000 [0239.149] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.149] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.157] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.157] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.158] GetProcessHeap () returned 0xa10000 [0239.158] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.158] GetProcessHeap () returned 0xa10000 [0239.158] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.158] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.292] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.292] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.293] GetProcessHeap () returned 0xa10000 [0239.293] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.293] GetProcessHeap () returned 0xa10000 [0239.293] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.293] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.293] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.304] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.304] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.421] GetProcessHeap () returned 0xa10000 [0239.421] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.421] GetProcessHeap () returned 0xa10000 [0239.421] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.421] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.421] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.432] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.432] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.433] GetProcessHeap () returned 0xa10000 [0239.433] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.433] GetProcessHeap () returned 0xa10000 [0239.433] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.433] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.433] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.748] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.748] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.749] GetProcessHeap () returned 0xa10000 [0239.749] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.766] GetProcessHeap () returned 0xa10000 [0239.846] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.846] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.846] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.854] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.854] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.855] GetProcessHeap () returned 0xa10000 [0239.855] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.855] GetProcessHeap () returned 0xa10000 [0239.855] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.855] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.855] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.863] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.863] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.864] GetProcessHeap () returned 0xa10000 [0239.864] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.864] GetProcessHeap () returned 0xa10000 [0239.864] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.864] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.864] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.874] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.874] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.875] GetProcessHeap () returned 0xa10000 [0239.875] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.875] GetProcessHeap () returned 0xa10000 [0239.875] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.875] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.875] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0239.977] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.977] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0239.977] GetProcessHeap () returned 0xa10000 [0239.977] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0239.977] GetProcessHeap () returned 0xa10000 [0239.977] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0239.977] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.978] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.070] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.070] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.071] GetProcessHeap () returned 0xa10000 [0240.071] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.071] GetProcessHeap () returned 0xa10000 [0240.071] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.071] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.071] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.082] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.082] GetProcessHeap () returned 0xa10000 [0240.082] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.082] GetProcessHeap () returned 0xa10000 [0240.082] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.082] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.092] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.092] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.093] GetProcessHeap () returned 0xa10000 [0240.093] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.093] GetProcessHeap () returned 0xa10000 [0240.093] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.093] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.093] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.182] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.184] GetProcessHeap () returned 0xa10000 [0240.184] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.184] GetProcessHeap () returned 0xa10000 [0240.184] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.184] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.184] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.193] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.194] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.194] GetProcessHeap () returned 0xa10000 [0240.194] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.194] GetProcessHeap () returned 0xa10000 [0240.194] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.194] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.195] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.204] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.204] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.205] GetProcessHeap () returned 0xa10000 [0240.205] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.205] GetProcessHeap () returned 0xa10000 [0240.205] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.205] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.205] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.216] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.216] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.216] GetProcessHeap () returned 0xa10000 [0240.216] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.216] GetProcessHeap () returned 0xa10000 [0240.216] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.217] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.217] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.329] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.329] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.330] GetProcessHeap () returned 0xa10000 [0240.331] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.331] GetProcessHeap () returned 0xa10000 [0240.331] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.331] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.331] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.339] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.339] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.340] GetProcessHeap () returned 0xa10000 [0240.340] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.340] GetProcessHeap () returned 0xa10000 [0240.340] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.340] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.340] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.349] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.349] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.349] GetProcessHeap () returned 0xa10000 [0240.349] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.349] GetProcessHeap () returned 0xa10000 [0240.349] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.350] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.350] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.428] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.429] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.429] GetProcessHeap () returned 0xa10000 [0240.429] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.429] GetProcessHeap () returned 0xa10000 [0240.429] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.429] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.429] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.550] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.550] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.551] GetProcessHeap () returned 0xa10000 [0240.551] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.551] GetProcessHeap () returned 0xa10000 [0240.551] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.552] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.552] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.559] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.559] GetProcessHeap () returned 0xa10000 [0240.559] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.559] GetProcessHeap () returned 0xa10000 [0240.559] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.559] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.568] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.568] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.569] GetProcessHeap () returned 0xa10000 [0240.569] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.569] GetProcessHeap () returned 0xa10000 [0240.569] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.569] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.569] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.633] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.633] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.634] GetProcessHeap () returned 0xa10000 [0240.634] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.634] GetProcessHeap () returned 0xa10000 [0240.634] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.634] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.634] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.643] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.644] GetProcessHeap () returned 0xa10000 [0240.644] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.644] GetProcessHeap () returned 0xa10000 [0240.644] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.644] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.644] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.743] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.744] GetProcessHeap () returned 0xa10000 [0240.744] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.744] GetProcessHeap () returned 0xa10000 [0240.744] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.744] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.836] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.836] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.837] GetProcessHeap () returned 0xa10000 [0240.837] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.837] GetProcessHeap () returned 0xa10000 [0240.837] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.837] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.837] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.848] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.849] GetProcessHeap () returned 0xa10000 [0240.849] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.849] GetProcessHeap () returned 0xa10000 [0240.849] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.849] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.849] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.859] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.860] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.861] GetProcessHeap () returned 0xa10000 [0240.861] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.861] GetProcessHeap () returned 0xa10000 [0240.861] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.861] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.861] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.947] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.948] GetProcessHeap () returned 0xa10000 [0240.948] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.948] GetProcessHeap () returned 0xa10000 [0240.948] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.948] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.957] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.957] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.958] GetProcessHeap () returned 0xa10000 [0240.958] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.958] GetProcessHeap () returned 0xa10000 [0240.958] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.958] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.968] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.968] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.969] GetProcessHeap () returned 0xa10000 [0240.969] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.969] GetProcessHeap () returned 0xa10000 [0240.969] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.969] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0240.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.979] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0240.980] GetProcessHeap () returned 0xa10000 [0240.980] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0240.980] GetProcessHeap () returned 0xa10000 [0240.980] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0240.980] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.980] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.053] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.053] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.054] GetProcessHeap () returned 0xa10000 [0241.054] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.054] GetProcessHeap () returned 0xa10000 [0241.054] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.054] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.054] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.062] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.062] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.063] GetProcessHeap () returned 0xa10000 [0241.063] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.063] GetProcessHeap () returned 0xa10000 [0241.063] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.063] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.063] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.072] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.072] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.073] GetProcessHeap () returned 0xa10000 [0241.073] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.073] GetProcessHeap () returned 0xa10000 [0241.073] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.073] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.161] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.161] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.161] GetProcessHeap () returned 0xa10000 [0241.162] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.162] GetProcessHeap () returned 0xa10000 [0241.162] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.162] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.162] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.177] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.177] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.178] GetProcessHeap () returned 0xa10000 [0241.179] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.179] GetProcessHeap () returned 0xa10000 [0241.179] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.179] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.185] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.186] GetProcessHeap () returned 0xa10000 [0241.186] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.186] GetProcessHeap () returned 0xa10000 [0241.186] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.186] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.186] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.282] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.282] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.283] GetProcessHeap () returned 0xa10000 [0241.283] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.283] GetProcessHeap () returned 0xa10000 [0241.283] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.283] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.367] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.367] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.368] GetProcessHeap () returned 0xa10000 [0241.368] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.368] GetProcessHeap () returned 0xa10000 [0241.368] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.368] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.476] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.476] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.477] GetProcessHeap () returned 0xa10000 [0241.477] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.478] GetProcessHeap () returned 0xa10000 [0241.478] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.478] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.487] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.487] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.488] GetProcessHeap () returned 0xa10000 [0241.488] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.488] GetProcessHeap () returned 0xa10000 [0241.488] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.488] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.488] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.641] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.641] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.642] GetProcessHeap () returned 0xa10000 [0241.642] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.642] GetProcessHeap () returned 0xa10000 [0241.642] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.642] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.651] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.652] GetProcessHeap () returned 0xa10000 [0241.652] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.652] GetProcessHeap () returned 0xa10000 [0241.652] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.652] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.660] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.660] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.660] GetProcessHeap () returned 0xa10000 [0241.661] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.661] GetProcessHeap () returned 0xa10000 [0241.661] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.661] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.661] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.919] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.919] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.920] GetProcessHeap () returned 0xa10000 [0241.920] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.920] GetProcessHeap () returned 0xa10000 [0241.920] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.920] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.928] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.928] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.930] GetProcessHeap () returned 0xa10000 [0241.930] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.930] GetProcessHeap () returned 0xa10000 [0241.930] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.931] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.931] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.940] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.940] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.941] GetProcessHeap () returned 0xa10000 [0241.941] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.941] GetProcessHeap () returned 0xa10000 [0241.941] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.941] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.941] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0241.952] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.952] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0241.953] GetProcessHeap () returned 0xa10000 [0241.953] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0241.953] GetProcessHeap () returned 0xa10000 [0241.953] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0241.953] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.953] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.112] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.112] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.113] GetProcessHeap () returned 0xa10000 [0242.113] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.113] GetProcessHeap () returned 0xa10000 [0242.113] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.113] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.113] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.122] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.122] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.122] GetProcessHeap () returned 0xa10000 [0242.123] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.123] GetProcessHeap () returned 0xa10000 [0242.123] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.123] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.123] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.132] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.132] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.133] GetProcessHeap () returned 0xa10000 [0242.133] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.133] GetProcessHeap () returned 0xa10000 [0242.133] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.133] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.133] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.142] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.142] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.143] GetProcessHeap () returned 0xa10000 [0242.143] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.143] GetProcessHeap () returned 0xa10000 [0242.143] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.143] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.244] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.244] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.245] GetProcessHeap () returned 0xa10000 [0242.245] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.245] GetProcessHeap () returned 0xa10000 [0242.245] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.245] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.245] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.255] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.255] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.256] GetProcessHeap () returned 0xa10000 [0242.256] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.256] GetProcessHeap () returned 0xa10000 [0242.256] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.256] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.256] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.265] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.266] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.266] GetProcessHeap () returned 0xa10000 [0242.266] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.266] GetProcessHeap () returned 0xa10000 [0242.266] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.267] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.267] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.323] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.324] GetProcessHeap () returned 0xa10000 [0242.324] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.324] GetProcessHeap () returned 0xa10000 [0242.324] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.324] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.431] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.433] GetProcessHeap () returned 0xa10000 [0242.433] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.433] GetProcessHeap () returned 0xa10000 [0242.433] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.433] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.433] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.443] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.443] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.443] GetProcessHeap () returned 0xa10000 [0242.443] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.444] GetProcessHeap () returned 0xa10000 [0242.444] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.444] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.444] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.620] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.620] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.621] GetProcessHeap () returned 0xa10000 [0242.621] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.621] GetProcessHeap () returned 0xa10000 [0242.621] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.621] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.621] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.632] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.632] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.632] GetProcessHeap () returned 0xa10000 [0242.632] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.632] GetProcessHeap () returned 0xa10000 [0242.633] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.633] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.633] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.717] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.717] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.718] GetProcessHeap () returned 0xa10000 [0242.718] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.719] GetProcessHeap () returned 0xa10000 [0242.719] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.719] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.719] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.780] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.780] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.780] GetProcessHeap () returned 0xa10000 [0242.780] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.780] GetProcessHeap () returned 0xa10000 [0242.781] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.781] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.781] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.789] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.789] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.790] GetProcessHeap () returned 0xa10000 [0242.790] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.790] GetProcessHeap () returned 0xa10000 [0242.790] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.790] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.790] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.800] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.800] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.801] GetProcessHeap () returned 0xa10000 [0242.801] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.801] GetProcessHeap () returned 0xa10000 [0242.801] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.801] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.801] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.811] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.811] GetProcessHeap () returned 0xa10000 [0242.811] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.811] GetProcessHeap () returned 0xa10000 [0242.811] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.812] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.879] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.879] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.880] GetProcessHeap () returned 0xa10000 [0242.880] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.880] GetProcessHeap () returned 0xa10000 [0242.880] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.880] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.880] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.889] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.889] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.890] GetProcessHeap () returned 0xa10000 [0242.890] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.890] GetProcessHeap () returned 0xa10000 [0242.890] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.890] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.890] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.900] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.900] GetProcessHeap () returned 0xa10000 [0242.901] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.901] GetProcessHeap () returned 0xa10000 [0242.901] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.901] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0242.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.947] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0242.948] GetProcessHeap () returned 0xa10000 [0242.948] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0242.948] GetProcessHeap () returned 0xa10000 [0242.948] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0242.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.948] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.012] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.012] GetProcessHeap () returned 0xa10000 [0243.012] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.013] GetProcessHeap () returned 0xa10000 [0243.013] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.013] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.023] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.023] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.024] GetProcessHeap () returned 0xa10000 [0243.024] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.024] GetProcessHeap () returned 0xa10000 [0243.024] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.024] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.071] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.071] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.072] GetProcessHeap () returned 0xa10000 [0243.072] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.072] GetProcessHeap () returned 0xa10000 [0243.072] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.072] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.072] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.083] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.084] GetProcessHeap () returned 0xa10000 [0243.084] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.084] GetProcessHeap () returned 0xa10000 [0243.084] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.084] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.084] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.149] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.149] GetProcessHeap () returned 0xa10000 [0243.149] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.149] GetProcessHeap () returned 0xa10000 [0243.149] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.150] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.197] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.197] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.197] GetProcessHeap () returned 0xa10000 [0243.197] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.197] GetProcessHeap () returned 0xa10000 [0243.197] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.198] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.198] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.207] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.208] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.208] GetProcessHeap () returned 0xa10000 [0243.208] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.208] GetProcessHeap () returned 0xa10000 [0243.208] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.208] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.208] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.218] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.219] GetProcessHeap () returned 0xa10000 [0243.219] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.219] GetProcessHeap () returned 0xa10000 [0243.219] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.220] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.220] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.276] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.276] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.277] GetProcessHeap () returned 0xa10000 [0243.277] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.278] GetProcessHeap () returned 0xa10000 [0243.278] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.278] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.288] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.288] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.289] GetProcessHeap () returned 0xa10000 [0243.289] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.289] GetProcessHeap () returned 0xa10000 [0243.289] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.289] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.289] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.297] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.297] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.298] GetProcessHeap () returned 0xa10000 [0243.298] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.298] GetProcessHeap () returned 0xa10000 [0243.298] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.298] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.298] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.308] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.308] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.534] GetProcessHeap () returned 0xa10000 [0243.534] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.535] GetProcessHeap () returned 0xa10000 [0243.535] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.535] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.535] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.550] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.550] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.551] GetProcessHeap () returned 0xa10000 [0243.551] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.552] GetProcessHeap () returned 0xa10000 [0243.552] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.552] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.552] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.562] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.562] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.562] GetProcessHeap () returned 0xa10000 [0243.562] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.562] GetProcessHeap () returned 0xa10000 [0243.562] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.562] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.600] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.769] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.769] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.770] GetProcessHeap () returned 0xa10000 [0243.770] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.770] GetProcessHeap () returned 0xa10000 [0243.770] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.770] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.770] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.777] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.777] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.778] GetProcessHeap () returned 0xa10000 [0243.778] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.778] GetProcessHeap () returned 0xa10000 [0243.778] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.778] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.778] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.797] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.797] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.798] GetProcessHeap () returned 0xa10000 [0243.798] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.798] GetProcessHeap () returned 0xa10000 [0243.798] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.798] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.798] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0243.883] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.883] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0243.884] GetProcessHeap () returned 0xa10000 [0243.884] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0243.884] GetProcessHeap () returned 0xa10000 [0243.884] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0243.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.884] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.021] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.021] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.022] GetProcessHeap () returned 0xa10000 [0244.022] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.022] GetProcessHeap () returned 0xa10000 [0244.022] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.022] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.022] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.061] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.061] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.071] GetProcessHeap () returned 0xa10000 [0244.071] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.072] GetProcessHeap () returned 0xa10000 [0244.072] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.072] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.072] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.080] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.081] GetProcessHeap () returned 0xa10000 [0244.081] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.081] GetProcessHeap () returned 0xa10000 [0244.081] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.081] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.109] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.109] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.149] GetProcessHeap () returned 0xa10000 [0244.149] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.149] GetProcessHeap () returned 0xa10000 [0244.150] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.150] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.150] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.160] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.160] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.161] GetProcessHeap () returned 0xa10000 [0244.161] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.161] GetProcessHeap () returned 0xa10000 [0244.161] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.161] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.161] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.171] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.172] GetProcessHeap () returned 0xa10000 [0244.172] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.172] GetProcessHeap () returned 0xa10000 [0244.172] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.172] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.172] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.186] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.186] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.187] GetProcessHeap () returned 0xa10000 [0244.187] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.187] GetProcessHeap () returned 0xa10000 [0244.187] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.187] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.187] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.238] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.238] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.239] GetProcessHeap () returned 0xa10000 [0244.239] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.239] GetProcessHeap () returned 0xa10000 [0244.239] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.239] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.239] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.422] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.423] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.423] GetProcessHeap () returned 0xa10000 [0244.423] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.423] GetProcessHeap () returned 0xa10000 [0244.423] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.423] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.424] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.432] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.433] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.433] GetProcessHeap () returned 0xa10000 [0244.433] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.433] GetProcessHeap () returned 0xa10000 [0244.433] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.433] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.434] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.441] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.442] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.442] GetProcessHeap () returned 0xa10000 [0244.442] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.442] GetProcessHeap () returned 0xa10000 [0244.442] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.442] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.443] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.712] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.712] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.713] GetProcessHeap () returned 0xa10000 [0244.713] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.713] GetProcessHeap () returned 0xa10000 [0244.713] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.713] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.774] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.774] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.775] GetProcessHeap () returned 0xa10000 [0244.775] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.775] GetProcessHeap () returned 0xa10000 [0244.775] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.775] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.775] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.821] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.821] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.821] GetProcessHeap () returned 0xa10000 [0244.822] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.822] GetProcessHeap () returned 0xa10000 [0244.822] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.822] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.822] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.880] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.880] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.881] GetProcessHeap () returned 0xa10000 [0244.881] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.881] GetProcessHeap () returned 0xa10000 [0244.881] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.881] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.881] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.944] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.944] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.945] GetProcessHeap () returned 0xa10000 [0244.945] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.945] GetProcessHeap () returned 0xa10000 [0244.945] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.945] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.946] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.953] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.953] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.954] GetProcessHeap () returned 0xa10000 [0244.954] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.954] GetProcessHeap () returned 0xa10000 [0244.954] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.954] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.954] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.967] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.968] GetProcessHeap () returned 0xa10000 [0244.968] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.968] GetProcessHeap () returned 0xa10000 [0244.968] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.968] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.968] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0244.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.999] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0244.999] GetProcessHeap () returned 0xa10000 [0244.999] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0244.999] GetProcessHeap () returned 0xa10000 [0244.999] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0244.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.999] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.019] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.019] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.020] GetProcessHeap () returned 0xa10000 [0245.020] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.020] GetProcessHeap () returned 0xa10000 [0245.020] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.020] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.020] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.031] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.031] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.057] GetProcessHeap () returned 0xa10000 [0245.057] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.057] GetProcessHeap () returned 0xa10000 [0245.057] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.057] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.057] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.115] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.115] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.115] GetProcessHeap () returned 0xa10000 [0245.115] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.115] GetProcessHeap () returned 0xa10000 [0245.115] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.115] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.115] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.316] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.316] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.317] GetProcessHeap () returned 0xa10000 [0245.317] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.317] GetProcessHeap () returned 0xa10000 [0245.317] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.317] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.317] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.323] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.324] GetProcessHeap () returned 0xa10000 [0245.324] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.324] GetProcessHeap () returned 0xa10000 [0245.324] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.324] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.418] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.418] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.419] GetProcessHeap () returned 0xa10000 [0245.419] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.419] GetProcessHeap () returned 0xa10000 [0245.419] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.419] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.419] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.426] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.426] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.426] GetProcessHeap () returned 0xa10000 [0245.426] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.427] GetProcessHeap () returned 0xa10000 [0245.427] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.427] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.427] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.447] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.448] GetProcessHeap () returned 0xa10000 [0245.448] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.448] GetProcessHeap () returned 0xa10000 [0245.448] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.448] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.455] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.455] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.455] GetProcessHeap () returned 0xa10000 [0245.455] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.455] GetProcessHeap () returned 0xa10000 [0245.455] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.456] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.456] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.558] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.559] GetProcessHeap () returned 0xa10000 [0245.559] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.559] GetProcessHeap () returned 0xa10000 [0245.559] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.559] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.570] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.570] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.571] GetProcessHeap () returned 0xa10000 [0245.571] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.571] GetProcessHeap () returned 0xa10000 [0245.571] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.571] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.674] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.674] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.675] GetProcessHeap () returned 0xa10000 [0245.675] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.675] GetProcessHeap () returned 0xa10000 [0245.675] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.675] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.675] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.681] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.682] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.682] GetProcessHeap () returned 0xa10000 [0245.682] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.682] GetProcessHeap () returned 0xa10000 [0245.682] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.682] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.682] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.723] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.724] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.725] GetProcessHeap () returned 0xa10000 [0245.725] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.725] GetProcessHeap () returned 0xa10000 [0245.725] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.725] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.725] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.733] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.734] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.734] GetProcessHeap () returned 0xa10000 [0245.734] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.734] GetProcessHeap () returned 0xa10000 [0245.734] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.734] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.742] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.742] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.743] GetProcessHeap () returned 0xa10000 [0245.743] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.743] GetProcessHeap () returned 0xa10000 [0245.743] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.743] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.804] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.805] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.806] GetProcessHeap () returned 0xa10000 [0245.806] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.806] GetProcessHeap () returned 0xa10000 [0245.806] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.806] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.806] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.868] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.868] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.869] GetProcessHeap () returned 0xa10000 [0245.869] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.869] GetProcessHeap () returned 0xa10000 [0245.869] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.869] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.879] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.879] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.880] GetProcessHeap () returned 0xa10000 [0245.880] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.880] GetProcessHeap () returned 0xa10000 [0245.880] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.880] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.880] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.889] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.889] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.890] GetProcessHeap () returned 0xa10000 [0245.890] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.890] GetProcessHeap () returned 0xa10000 [0245.890] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.890] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.890] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0245.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.947] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0245.947] GetProcessHeap () returned 0xa10000 [0245.947] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0245.947] GetProcessHeap () returned 0xa10000 [0245.947] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0245.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.948] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.008] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.008] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.009] GetProcessHeap () returned 0xa10000 [0246.009] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.009] GetProcessHeap () returned 0xa10000 [0246.009] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.009] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.019] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.019] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.020] GetProcessHeap () returned 0xa10000 [0246.020] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.020] GetProcessHeap () returned 0xa10000 [0246.020] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.020] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.020] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.072] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.072] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.073] GetProcessHeap () returned 0xa10000 [0246.073] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.073] GetProcessHeap () returned 0xa10000 [0246.073] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.073] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.082] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.082] GetProcessHeap () returned 0xa10000 [0246.082] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.082] GetProcessHeap () returned 0xa10000 [0246.082] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.082] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.090] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.091] GetProcessHeap () returned 0xa10000 [0246.091] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.091] GetProcessHeap () returned 0xa10000 [0246.091] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.091] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.091] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.271] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.271] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.272] GetProcessHeap () returned 0xa10000 [0246.272] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.272] GetProcessHeap () returned 0xa10000 [0246.272] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.272] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.272] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.280] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.280] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.281] GetProcessHeap () returned 0xa10000 [0246.281] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.281] GetProcessHeap () returned 0xa10000 [0246.281] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.281] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.281] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.289] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.289] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.290] GetProcessHeap () returned 0xa10000 [0246.290] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.290] GetProcessHeap () returned 0xa10000 [0246.290] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.290] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.290] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.301] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.301] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.302] GetProcessHeap () returned 0xa10000 [0246.302] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.302] GetProcessHeap () returned 0xa10000 [0246.302] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.302] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.302] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.352] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.353] GetProcessHeap () returned 0xa10000 [0246.353] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.353] GetProcessHeap () returned 0xa10000 [0246.353] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.353] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.353] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.363] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.364] GetProcessHeap () returned 0xa10000 [0246.364] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.364] GetProcessHeap () returned 0xa10000 [0246.364] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.364] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.364] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.373] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.374] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.374] GetProcessHeap () returned 0xa10000 [0246.374] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.374] GetProcessHeap () returned 0xa10000 [0246.374] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.374] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.375] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.385] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.386] GetProcessHeap () returned 0xa10000 [0246.386] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.386] GetProcessHeap () returned 0xa10000 [0246.386] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.386] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.386] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.439] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.439] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.440] GetProcessHeap () returned 0xa10000 [0246.440] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.440] GetProcessHeap () returned 0xa10000 [0246.440] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.440] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.440] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.451] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.451] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.451] GetProcessHeap () returned 0xa10000 [0246.452] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.452] GetProcessHeap () returned 0xa10000 [0246.452] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.452] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.452] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.463] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.463] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.464] GetProcessHeap () returned 0xa10000 [0246.464] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.464] GetProcessHeap () returned 0xa10000 [0246.464] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.464] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.464] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.730] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.730] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.731] GetProcessHeap () returned 0xa10000 [0246.731] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.731] GetProcessHeap () returned 0xa10000 [0246.731] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.731] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.731] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.935] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.935] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.937] GetProcessHeap () returned 0xa10000 [0246.937] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.937] GetProcessHeap () returned 0xa10000 [0246.937] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.937] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.937] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.949] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.949] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.950] GetProcessHeap () returned 0xa10000 [0246.950] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.950] GetProcessHeap () returned 0xa10000 [0246.950] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.950] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.950] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0246.996] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.996] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0246.997] GetProcessHeap () returned 0xa10000 [0246.997] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0246.997] GetProcessHeap () returned 0xa10000 [0246.997] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0246.997] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.997] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.009] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.010] GetProcessHeap () returned 0xa10000 [0247.010] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.010] GetProcessHeap () returned 0xa10000 [0247.010] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.010] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.074] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.076] GetProcessHeap () returned 0xa10000 [0247.076] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.076] GetProcessHeap () returned 0xa10000 [0247.076] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.076] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.121] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.122] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.122] GetProcessHeap () returned 0xa10000 [0247.122] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.122] GetProcessHeap () returned 0xa10000 [0247.122] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.122] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.123] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.133] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.133] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.134] GetProcessHeap () returned 0xa10000 [0247.134] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.134] GetProcessHeap () returned 0xa10000 [0247.134] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.134] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.134] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.143] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.145] GetProcessHeap () returned 0xa10000 [0247.145] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.145] GetProcessHeap () returned 0xa10000 [0247.145] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.145] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.145] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.154] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.155] GetProcessHeap () returned 0xa10000 [0247.155] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.155] GetProcessHeap () returned 0xa10000 [0247.155] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.155] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.155] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.214] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.214] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.215] GetProcessHeap () returned 0xa10000 [0247.215] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.215] GetProcessHeap () returned 0xa10000 [0247.215] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.215] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.215] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.225] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.225] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.226] GetProcessHeap () returned 0xa10000 [0247.226] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.226] GetProcessHeap () returned 0xa10000 [0247.226] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.226] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.226] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.236] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.236] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.237] GetProcessHeap () returned 0xa10000 [0247.237] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.300] GetProcessHeap () returned 0xa10000 [0247.300] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.300] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.300] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.310] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.310] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.310] GetProcessHeap () returned 0xa10000 [0247.310] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.311] GetProcessHeap () returned 0xa10000 [0247.311] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.311] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.311] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.377] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.377] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.378] GetProcessHeap () returned 0xa10000 [0247.378] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.378] GetProcessHeap () returned 0xa10000 [0247.378] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.378] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.378] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.388] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.388] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.389] GetProcessHeap () returned 0xa10000 [0247.389] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.389] GetProcessHeap () returned 0xa10000 [0247.389] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.389] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.389] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.495] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.495] GetProcessHeap () returned 0xa10000 [0247.496] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.496] GetProcessHeap () returned 0xa10000 [0247.496] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.496] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.496] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.505] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.505] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.506] GetProcessHeap () returned 0xa10000 [0247.506] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.506] GetProcessHeap () returned 0xa10000 [0247.506] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.506] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.506] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.607] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.608] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.609] GetProcessHeap () returned 0xa10000 [0247.609] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.609] GetProcessHeap () returned 0xa10000 [0247.609] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.609] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.610] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.746] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.746] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.747] GetProcessHeap () returned 0xa10000 [0247.747] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.747] GetProcessHeap () returned 0xa10000 [0247.747] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.747] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.747] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.755] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.755] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.756] GetProcessHeap () returned 0xa10000 [0247.756] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.756] GetProcessHeap () returned 0xa10000 [0247.756] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.756] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.756] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.810] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.810] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.810] GetProcessHeap () returned 0xa10000 [0247.810] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.810] GetProcessHeap () returned 0xa10000 [0247.810] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.811] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.871] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.871] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.873] GetProcessHeap () returned 0xa10000 [0247.873] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.873] GetProcessHeap () returned 0xa10000 [0247.873] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.873] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.873] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.882] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.882] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.883] GetProcessHeap () returned 0xa10000 [0247.883] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.883] GetProcessHeap () returned 0xa10000 [0247.883] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.883] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.883] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.893] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.893] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.894] GetProcessHeap () returned 0xa10000 [0247.894] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.894] GetProcessHeap () returned 0xa10000 [0247.894] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.894] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.894] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.903] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.903] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.904] GetProcessHeap () returned 0xa10000 [0247.904] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.904] GetProcessHeap () returned 0xa10000 [0247.904] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.904] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.904] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0247.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.963] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0247.964] GetProcessHeap () returned 0xa10000 [0247.964] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0247.964] GetProcessHeap () returned 0xa10000 [0247.964] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0247.964] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.965] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.021] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.021] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.021] GetProcessHeap () returned 0xa10000 [0248.021] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.021] GetProcessHeap () returned 0xa10000 [0248.022] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.022] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.022] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.031] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.031] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.032] GetProcessHeap () returned 0xa10000 [0248.032] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.032] GetProcessHeap () returned 0xa10000 [0248.032] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.032] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.032] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.089] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.089] GetProcessHeap () returned 0xa10000 [0248.089] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.089] GetProcessHeap () returned 0xa10000 [0248.089] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.089] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.098] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.099] GetProcessHeap () returned 0xa10000 [0248.099] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.099] GetProcessHeap () returned 0xa10000 [0248.099] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.099] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.113] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.113] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.114] GetProcessHeap () returned 0xa10000 [0248.114] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.114] GetProcessHeap () returned 0xa10000 [0248.114] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.114] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.114] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.122] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.122] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.122] GetProcessHeap () returned 0xa10000 [0248.122] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.122] GetProcessHeap () returned 0xa10000 [0248.122] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.123] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.123] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.167] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.167] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.167] GetProcessHeap () returned 0xa10000 [0248.167] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.168] GetProcessHeap () returned 0xa10000 [0248.168] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.168] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.168] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.176] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.176] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.176] GetProcessHeap () returned 0xa10000 [0248.176] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.176] GetProcessHeap () returned 0xa10000 [0248.176] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.176] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.176] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.231] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.231] GetProcessHeap () returned 0xa10000 [0248.231] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.232] GetProcessHeap () returned 0xa10000 [0248.232] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.232] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.232] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.289] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.289] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.290] GetProcessHeap () returned 0xa10000 [0248.290] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.290] GetProcessHeap () returned 0xa10000 [0248.290] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.290] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.290] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.301] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.301] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.301] GetProcessHeap () returned 0xa10000 [0248.301] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.302] GetProcessHeap () returned 0xa10000 [0248.302] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.302] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.302] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.310] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.310] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.310] GetProcessHeap () returned 0xa10000 [0248.310] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.311] GetProcessHeap () returned 0xa10000 [0248.311] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.311] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.311] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.380] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.380] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.381] GetProcessHeap () returned 0xa10000 [0248.381] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.381] GetProcessHeap () returned 0xa10000 [0248.381] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.381] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.381] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.391] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.391] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.391] GetProcessHeap () returned 0xa10000 [0248.392] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.392] GetProcessHeap () returned 0xa10000 [0248.392] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.392] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.392] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.401] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.402] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.402] GetProcessHeap () returned 0xa10000 [0248.402] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.402] GetProcessHeap () returned 0xa10000 [0248.402] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.402] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.402] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.413] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.413] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.414] GetProcessHeap () returned 0xa10000 [0248.414] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.414] GetProcessHeap () returned 0xa10000 [0248.414] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.414] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.414] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.464] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.464] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.466] GetProcessHeap () returned 0xa10000 [0248.466] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.466] GetProcessHeap () returned 0xa10000 [0248.466] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.466] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.466] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.494] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.495] GetProcessHeap () returned 0xa10000 [0248.495] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.495] GetProcessHeap () returned 0xa10000 [0248.495] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.495] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.505] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.505] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.506] GetProcessHeap () returned 0xa10000 [0248.506] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.506] GetProcessHeap () returned 0xa10000 [0248.506] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.506] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.506] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.555] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.556] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.556] GetProcessHeap () returned 0xa10000 [0248.556] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.556] GetProcessHeap () returned 0xa10000 [0248.556] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.556] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.557] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.620] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.621] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.622] GetProcessHeap () returned 0xa10000 [0248.622] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.622] GetProcessHeap () returned 0xa10000 [0248.622] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.622] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.721] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.770] GetProcessHeap () returned 0xa10000 [0248.770] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.770] GetProcessHeap () returned 0xa10000 [0248.770] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.770] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.770] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.778] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.778] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.779] GetProcessHeap () returned 0xa10000 [0248.779] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.779] GetProcessHeap () returned 0xa10000 [0248.779] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.779] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.779] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.825] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.826] GetProcessHeap () returned 0xa10000 [0248.826] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.826] GetProcessHeap () returned 0xa10000 [0248.826] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.826] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.826] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.838] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.838] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.839] GetProcessHeap () returned 0xa10000 [0248.839] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.839] GetProcessHeap () returned 0xa10000 [0248.839] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.839] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.839] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.900] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.900] GetProcessHeap () returned 0xa10000 [0248.901] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.901] GetProcessHeap () returned 0xa10000 [0248.901] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.901] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.909] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.909] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.909] GetProcessHeap () returned 0xa10000 [0248.910] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.910] GetProcessHeap () returned 0xa10000 [0248.910] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.910] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.910] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.917] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.917] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.918] GetProcessHeap () returned 0xa10000 [0248.918] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.918] GetProcessHeap () returned 0xa10000 [0248.918] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.918] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.918] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.926] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.926] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.927] GetProcessHeap () returned 0xa10000 [0248.927] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.927] GetProcessHeap () returned 0xa10000 [0248.927] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.927] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.927] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.990] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0248.991] GetProcessHeap () returned 0xa10000 [0248.991] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0248.991] GetProcessHeap () returned 0xa10000 [0248.991] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0248.991] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.991] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0248.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.999] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.000] GetProcessHeap () returned 0xa10000 [0249.000] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.000] GetProcessHeap () returned 0xa10000 [0249.000] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.000] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.010] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.011] GetProcessHeap () returned 0xa10000 [0249.011] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.011] GetProcessHeap () returned 0xa10000 [0249.011] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.011] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.021] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.021] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.022] GetProcessHeap () returned 0xa10000 [0249.022] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.022] GetProcessHeap () returned 0xa10000 [0249.022] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.022] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.022] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.081] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.082] GetProcessHeap () returned 0xa10000 [0249.082] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.082] GetProcessHeap () returned 0xa10000 [0249.082] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.082] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.092] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.092] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.092] GetProcessHeap () returned 0xa10000 [0249.092] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.092] GetProcessHeap () returned 0xa10000 [0249.092] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.092] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.093] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.104] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.104] GetProcessHeap () returned 0xa10000 [0249.104] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.104] GetProcessHeap () returned 0xa10000 [0249.104] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.104] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.105] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.151] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.151] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.152] GetProcessHeap () returned 0xa10000 [0249.152] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.152] GetProcessHeap () returned 0xa10000 [0249.152] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.152] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.152] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.215] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.215] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.216] GetProcessHeap () returned 0xa10000 [0249.216] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.216] GetProcessHeap () returned 0xa10000 [0249.216] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.216] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.216] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.226] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.226] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.227] GetProcessHeap () returned 0xa10000 [0249.227] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.227] GetProcessHeap () returned 0xa10000 [0249.227] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.227] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.227] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.276] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.276] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.276] GetProcessHeap () returned 0xa10000 [0249.277] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.277] GetProcessHeap () returned 0xa10000 [0249.277] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.277] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.277] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.285] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.285] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.286] GetProcessHeap () returned 0xa10000 [0249.286] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.286] GetProcessHeap () returned 0xa10000 [0249.286] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.286] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.286] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.354] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.355] GetProcessHeap () returned 0xa10000 [0249.355] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.355] GetProcessHeap () returned 0xa10000 [0249.355] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.355] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.401] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.402] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.402] GetProcessHeap () returned 0xa10000 [0249.402] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.402] GetProcessHeap () returned 0xa10000 [0249.402] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.402] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.402] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.411] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.411] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.412] GetProcessHeap () returned 0xa10000 [0249.412] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.412] GetProcessHeap () returned 0xa10000 [0249.412] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.412] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.412] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.419] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.420] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.420] GetProcessHeap () returned 0xa10000 [0249.420] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.420] GetProcessHeap () returned 0xa10000 [0249.420] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.420] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.420] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.430] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.430] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.430] GetProcessHeap () returned 0xa10000 [0249.431] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.431] GetProcessHeap () returned 0xa10000 [0249.431] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.431] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.503] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.503] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.504] GetProcessHeap () returned 0xa10000 [0249.504] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.504] GetProcessHeap () returned 0xa10000 [0249.504] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.504] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.504] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.512] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.512] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.513] GetProcessHeap () returned 0xa10000 [0249.513] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.513] GetProcessHeap () returned 0xa10000 [0249.513] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.513] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.513] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.522] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.522] GetProcessHeap () returned 0xa10000 [0249.522] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.522] GetProcessHeap () returned 0xa10000 [0249.522] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.523] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.531] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.531] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.531] GetProcessHeap () returned 0xa10000 [0249.531] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.531] GetProcessHeap () returned 0xa10000 [0249.532] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.532] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.598] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.598] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.598] GetProcessHeap () returned 0xa10000 [0249.599] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.599] GetProcessHeap () returned 0xa10000 [0249.599] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.599] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.599] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.608] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.608] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.609] GetProcessHeap () returned 0xa10000 [0249.609] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.609] GetProcessHeap () returned 0xa10000 [0249.609] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.609] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.609] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.619] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.619] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.619] GetProcessHeap () returned 0xa10000 [0249.619] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.619] GetProcessHeap () returned 0xa10000 [0249.619] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.620] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.620] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.782] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.782] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.783] GetProcessHeap () returned 0xa10000 [0249.783] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.783] GetProcessHeap () returned 0xa10000 [0249.783] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.783] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.783] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.864] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.864] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.865] GetProcessHeap () returned 0xa10000 [0249.865] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.865] GetProcessHeap () returned 0xa10000 [0249.865] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.865] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.865] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.875] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.875] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.876] GetProcessHeap () returned 0xa10000 [0249.876] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.876] GetProcessHeap () returned 0xa10000 [0249.876] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.876] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.876] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.967] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.968] GetProcessHeap () returned 0xa10000 [0249.968] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.968] GetProcessHeap () returned 0xa10000 [0249.968] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.968] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.968] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0249.978] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.978] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0249.979] GetProcessHeap () returned 0xa10000 [0249.979] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0249.979] GetProcessHeap () returned 0xa10000 [0249.979] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0249.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.979] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.045] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.045] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.047] GetProcessHeap () returned 0xa10000 [0250.047] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.047] GetProcessHeap () returned 0xa10000 [0250.047] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.047] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.047] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.093] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.093] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.094] GetProcessHeap () returned 0xa10000 [0250.094] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.094] GetProcessHeap () returned 0xa10000 [0250.094] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.094] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.103] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.103] GetProcessHeap () returned 0xa10000 [0250.104] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.104] GetProcessHeap () returned 0xa10000 [0250.104] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.104] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.104] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.152] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.152] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.153] GetProcessHeap () returned 0xa10000 [0250.153] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.153] GetProcessHeap () returned 0xa10000 [0250.153] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.153] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.153] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.387] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.387] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.389] GetProcessHeap () returned 0xa10000 [0250.389] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.389] GetProcessHeap () returned 0xa10000 [0250.389] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.389] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.389] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.418] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.418] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.419] GetProcessHeap () returned 0xa10000 [0250.514] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.514] GetProcessHeap () returned 0xa10000 [0250.514] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.514] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.538] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.546] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.546] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.547] GetProcessHeap () returned 0xa10000 [0250.547] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.547] GetProcessHeap () returned 0xa10000 [0250.547] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.547] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.547] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.591] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.591] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.592] GetProcessHeap () returned 0xa10000 [0250.592] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.592] GetProcessHeap () returned 0xa10000 [0250.592] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.592] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.592] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.602] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.602] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.602] GetProcessHeap () returned 0xa10000 [0250.603] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.603] GetProcessHeap () returned 0xa10000 [0250.603] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.603] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.671] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.672] GetProcessHeap () returned 0xa10000 [0250.672] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.672] GetProcessHeap () returned 0xa10000 [0250.672] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.672] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.672] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.787] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.787] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.788] GetProcessHeap () returned 0xa10000 [0250.788] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.788] GetProcessHeap () returned 0xa10000 [0250.788] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.788] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.788] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.796] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.796] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.796] GetProcessHeap () returned 0xa10000 [0250.797] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.797] GetProcessHeap () returned 0xa10000 [0250.797] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.797] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.797] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.872] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.872] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.873] GetProcessHeap () returned 0xa10000 [0250.873] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.873] GetProcessHeap () returned 0xa10000 [0250.873] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.873] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.873] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.935] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.935] GetProcessHeap () returned 0xa10000 [0250.935] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.935] GetProcessHeap () returned 0xa10000 [0250.935] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.935] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.935] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.946] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.947] GetProcessHeap () returned 0xa10000 [0250.947] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.947] GetProcessHeap () returned 0xa10000 [0250.947] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.947] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0250.995] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.995] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0250.996] GetProcessHeap () returned 0xa10000 [0250.996] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0250.996] GetProcessHeap () returned 0xa10000 [0250.996] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0250.996] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.996] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.002] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.002] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.003] GetProcessHeap () returned 0xa10000 [0251.003] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.003] GetProcessHeap () returned 0xa10000 [0251.003] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.003] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.003] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.048] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.049] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.049] GetProcessHeap () returned 0xa10000 [0251.049] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.049] GetProcessHeap () returned 0xa10000 [0251.049] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.050] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.050] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.072] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.072] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.073] GetProcessHeap () returned 0xa10000 [0251.073] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.073] GetProcessHeap () returned 0xa10000 [0251.073] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.073] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.079] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.080] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.080] GetProcessHeap () returned 0xa10000 [0251.080] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.080] GetProcessHeap () returned 0xa10000 [0251.080] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.080] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.158] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.159] GetProcessHeap () returned 0xa10000 [0251.159] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.159] GetProcessHeap () returned 0xa10000 [0251.159] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.159] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.159] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.183] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.184] GetProcessHeap () returned 0xa10000 [0251.184] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.184] GetProcessHeap () returned 0xa10000 [0251.184] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.184] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.184] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.198] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.198] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.199] GetProcessHeap () returned 0xa10000 [0251.199] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.199] GetProcessHeap () returned 0xa10000 [0251.199] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.199] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.199] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.234] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.234] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.235] GetProcessHeap () returned 0xa10000 [0251.235] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.235] GetProcessHeap () returned 0xa10000 [0251.235] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.235] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.235] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.244] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.244] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.245] GetProcessHeap () returned 0xa10000 [0251.245] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.245] GetProcessHeap () returned 0xa10000 [0251.245] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.245] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.245] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.259] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.259] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.261] GetProcessHeap () returned 0xa10000 [0251.261] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.261] GetProcessHeap () returned 0xa10000 [0251.261] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.261] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.261] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.324] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.326] GetProcessHeap () returned 0xa10000 [0251.326] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.326] GetProcessHeap () returned 0xa10000 [0251.326] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.326] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.326] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.350] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.350] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.350] GetProcessHeap () returned 0xa10000 [0251.350] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.351] GetProcessHeap () returned 0xa10000 [0251.351] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.351] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.351] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.361] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.361] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.361] GetProcessHeap () returned 0xa10000 [0251.361] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.361] GetProcessHeap () returned 0xa10000 [0251.362] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.362] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.362] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.384] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.384] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.385] GetProcessHeap () returned 0xa10000 [0251.385] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.385] GetProcessHeap () returned 0xa10000 [0251.385] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.386] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.509] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.509] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.510] GetProcessHeap () returned 0xa10000 [0251.510] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.510] GetProcessHeap () returned 0xa10000 [0251.510] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.510] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.510] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.702] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.702] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.703] GetProcessHeap () returned 0xa10000 [0251.703] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.703] GetProcessHeap () returned 0xa10000 [0251.703] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.703] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.703] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.713] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.714] GetProcessHeap () returned 0xa10000 [0251.714] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.714] GetProcessHeap () returned 0xa10000 [0251.714] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.714] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.714] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.723] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.723] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.724] GetProcessHeap () returned 0xa10000 [0251.724] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.724] GetProcessHeap () returned 0xa10000 [0251.724] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.724] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.724] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.749] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.749] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.750] GetProcessHeap () returned 0xa10000 [0251.750] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.750] GetProcessHeap () returned 0xa10000 [0251.750] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.750] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.757] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.757] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.758] GetProcessHeap () returned 0xa10000 [0251.758] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.758] GetProcessHeap () returned 0xa10000 [0251.758] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.758] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.758] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.876] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.876] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.876] GetProcessHeap () returned 0xa10000 [0251.876] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.877] GetProcessHeap () returned 0xa10000 [0251.877] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.877] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.877] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0251.970] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.970] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0251.971] GetProcessHeap () returned 0xa10000 [0251.971] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0251.971] GetProcessHeap () returned 0xa10000 [0251.971] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0251.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.971] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.055] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.055] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.056] GetProcessHeap () returned 0xa10000 [0252.056] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.056] GetProcessHeap () returned 0xa10000 [0252.056] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.056] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.056] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.213] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.213] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.214] GetProcessHeap () returned 0xa10000 [0252.215] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.215] GetProcessHeap () returned 0xa10000 [0252.215] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.215] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.215] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.224] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.224] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.225] GetProcessHeap () returned 0xa10000 [0252.225] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.225] GetProcessHeap () returned 0xa10000 [0252.225] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.225] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.225] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.266] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.266] GetProcessHeap () returned 0xa10000 [0252.266] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.266] GetProcessHeap () returned 0xa10000 [0252.266] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.267] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.289] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.289] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.290] GetProcessHeap () returned 0xa10000 [0252.291] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.291] GetProcessHeap () returned 0xa10000 [0252.291] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.291] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.291] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.304] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.304] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.305] GetProcessHeap () returned 0xa10000 [0252.305] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.305] GetProcessHeap () returned 0xa10000 [0252.305] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.305] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.305] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.362] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.363] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.364] GetProcessHeap () returned 0xa10000 [0252.364] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.364] GetProcessHeap () returned 0xa10000 [0252.364] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.364] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.364] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.379] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.379] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.380] GetProcessHeap () returned 0xa10000 [0252.380] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.380] GetProcessHeap () returned 0xa10000 [0252.380] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.380] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.380] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.459] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.459] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.461] GetProcessHeap () returned 0xa10000 [0252.461] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.461] GetProcessHeap () returned 0xa10000 [0252.461] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.461] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.461] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.521] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.521] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.522] GetProcessHeap () returned 0xa10000 [0252.522] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.522] GetProcessHeap () returned 0xa10000 [0252.522] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.522] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.532] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.532] GetProcessHeap () returned 0xa10000 [0252.532] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.532] GetProcessHeap () returned 0xa10000 [0252.532] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.533] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.542] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.542] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.543] GetProcessHeap () returned 0xa10000 [0252.543] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.543] GetProcessHeap () returned 0xa10000 [0252.543] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.543] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.543] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.600] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.600] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.601] GetProcessHeap () returned 0xa10000 [0252.602] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.602] GetProcessHeap () returned 0xa10000 [0252.602] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.602] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.602] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.612] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.612] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.612] GetProcessHeap () returned 0xa10000 [0252.612] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.612] GetProcessHeap () returned 0xa10000 [0252.613] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.613] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.622] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.623] GetProcessHeap () returned 0xa10000 [0252.623] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.623] GetProcessHeap () returned 0xa10000 [0252.623] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.623] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.623] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.679] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.679] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.679] GetProcessHeap () returned 0xa10000 [0252.679] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.679] GetProcessHeap () returned 0xa10000 [0252.679] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.679] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.680] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.689] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.689] GetProcessHeap () returned 0xa10000 [0252.689] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.689] GetProcessHeap () returned 0xa10000 [0252.689] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.689] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.770] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.771] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.771] GetProcessHeap () returned 0xa10000 [0252.771] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.771] GetProcessHeap () returned 0xa10000 [0252.771] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.771] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.771] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.779] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.779] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.780] GetProcessHeap () returned 0xa10000 [0252.780] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.780] GetProcessHeap () returned 0xa10000 [0252.780] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.780] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.780] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.791] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.791] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.792] GetProcessHeap () returned 0xa10000 [0252.792] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.792] GetProcessHeap () returned 0xa10000 [0252.792] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.792] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.792] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.801] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.801] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.802] GetProcessHeap () returned 0xa10000 [0252.802] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.802] GetProcessHeap () returned 0xa10000 [0252.802] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.802] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.872] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.872] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.872] GetProcessHeap () returned 0xa10000 [0252.872] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.872] GetProcessHeap () returned 0xa10000 [0252.872] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.872] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.873] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.885] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.885] GetProcessHeap () returned 0xa10000 [0252.885] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.885] GetProcessHeap () returned 0xa10000 [0252.885] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.885] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.885] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.893] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.893] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.894] GetProcessHeap () returned 0xa10000 [0252.894] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.894] GetProcessHeap () returned 0xa10000 [0252.894] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.894] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.894] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.902] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.902] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.903] GetProcessHeap () returned 0xa10000 [0252.903] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.903] GetProcessHeap () returned 0xa10000 [0252.903] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.903] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.903] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.920] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.922] GetProcessHeap () returned 0xa10000 [0252.922] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.922] GetProcessHeap () returned 0xa10000 [0252.922] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.922] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.922] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.936] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.936] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.937] GetProcessHeap () returned 0xa10000 [0252.937] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.937] GetProcessHeap () returned 0xa10000 [0252.937] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.937] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.937] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.946] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.947] GetProcessHeap () returned 0xa10000 [0252.947] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.947] GetProcessHeap () returned 0xa10000 [0252.947] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.947] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.955] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.955] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.955] GetProcessHeap () returned 0xa10000 [0252.955] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.955] GetProcessHeap () returned 0xa10000 [0252.956] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.956] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.956] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.981] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.981] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.983] GetProcessHeap () returned 0xa10000 [0252.983] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.983] GetProcessHeap () returned 0xa10000 [0252.983] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.983] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0252.992] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.992] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0252.993] GetProcessHeap () returned 0xa10000 [0252.993] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0252.993] GetProcessHeap () returned 0xa10000 [0252.993] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0252.993] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.993] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.001] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.001] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.001] GetProcessHeap () returned 0xa10000 [0253.002] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.002] GetProcessHeap () returned 0xa10000 [0253.002] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.002] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.002] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.012] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.013] GetProcessHeap () returned 0xa10000 [0253.013] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.013] GetProcessHeap () returned 0xa10000 [0253.013] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.013] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.029] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.029] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.030] GetProcessHeap () returned 0xa10000 [0253.030] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.030] GetProcessHeap () returned 0xa10000 [0253.030] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.031] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.031] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.039] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.039] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.040] GetProcessHeap () returned 0xa10000 [0253.040] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.040] GetProcessHeap () returned 0xa10000 [0253.040] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.040] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.048] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.048] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.049] GetProcessHeap () returned 0xa10000 [0253.049] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.049] GetProcessHeap () returned 0xa10000 [0253.049] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.049] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.049] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.057] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.057] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.057] GetProcessHeap () returned 0xa10000 [0253.057] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.057] GetProcessHeap () returned 0xa10000 [0253.057] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.058] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.058] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.069] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.069] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.070] GetProcessHeap () returned 0xa10000 [0253.070] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.070] GetProcessHeap () returned 0xa10000 [0253.070] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.070] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.070] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.132] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.132] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.133] GetProcessHeap () returned 0xa10000 [0253.133] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.133] GetProcessHeap () returned 0xa10000 [0253.133] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.133] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.133] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.142] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.142] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.142] GetProcessHeap () returned 0xa10000 [0253.142] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.142] GetProcessHeap () returned 0xa10000 [0253.142] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.143] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.184] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.184] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.185] GetProcessHeap () returned 0xa10000 [0253.185] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.185] GetProcessHeap () returned 0xa10000 [0253.185] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.186] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.195] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.195] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.196] GetProcessHeap () returned 0xa10000 [0253.196] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.196] GetProcessHeap () returned 0xa10000 [0253.196] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.196] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.196] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.228] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.228] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.229] GetProcessHeap () returned 0xa10000 [0253.229] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.229] GetProcessHeap () returned 0xa10000 [0253.229] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.229] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.229] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.237] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.237] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.237] GetProcessHeap () returned 0xa10000 [0253.237] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.268] GetProcessHeap () returned 0xa10000 [0253.268] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.268] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.268] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.277] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.277] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.278] GetProcessHeap () returned 0xa10000 [0253.278] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.278] GetProcessHeap () returned 0xa10000 [0253.278] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.278] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.288] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.288] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.288] GetProcessHeap () returned 0xa10000 [0253.288] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.288] GetProcessHeap () returned 0xa10000 [0253.288] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.288] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.289] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.385] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.387] GetProcessHeap () returned 0xa10000 [0253.387] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.387] GetProcessHeap () returned 0xa10000 [0253.387] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.387] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.387] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.422] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.422] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.423] GetProcessHeap () returned 0xa10000 [0253.423] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.423] GetProcessHeap () returned 0xa10000 [0253.423] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.423] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.423] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.433] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.433] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.434] GetProcessHeap () returned 0xa10000 [0253.434] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.434] GetProcessHeap () returned 0xa10000 [0253.434] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.434] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.434] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.444] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.444] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.444] GetProcessHeap () returned 0xa10000 [0253.444] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.444] GetProcessHeap () returned 0xa10000 [0253.444] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.444] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.445] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.463] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.463] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.465] GetProcessHeap () returned 0xa10000 [0253.465] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.465] GetProcessHeap () returned 0xa10000 [0253.465] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.465] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.465] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.474] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.474] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.474] GetProcessHeap () returned 0xa10000 [0253.474] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.474] GetProcessHeap () returned 0xa10000 [0253.474] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.475] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.475] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.483] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.483] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.484] GetProcessHeap () returned 0xa10000 [0253.484] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.484] GetProcessHeap () returned 0xa10000 [0253.484] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.484] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.527] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.527] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.528] GetProcessHeap () returned 0xa10000 [0253.528] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.528] GetProcessHeap () returned 0xa10000 [0253.528] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.528] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.528] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.561] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.561] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.562] GetProcessHeap () returned 0xa10000 [0253.562] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.562] GetProcessHeap () returned 0xa10000 [0253.562] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.563] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.563] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.571] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.572] GetProcessHeap () returned 0xa10000 [0253.572] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.572] GetProcessHeap () returned 0xa10000 [0253.572] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.572] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.579] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.580] GetProcessHeap () returned 0xa10000 [0253.580] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.580] GetProcessHeap () returned 0xa10000 [0253.580] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.580] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.580] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.587] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.588] GetProcessHeap () returned 0xa10000 [0253.588] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.588] GetProcessHeap () returned 0xa10000 [0253.588] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.588] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.598] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.598] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.599] GetProcessHeap () returned 0xa10000 [0253.599] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.599] GetProcessHeap () returned 0xa10000 [0253.599] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.599] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.599] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.617] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.617] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.618] GetProcessHeap () returned 0xa10000 [0253.618] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.618] GetProcessHeap () returned 0xa10000 [0253.618] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.618] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.618] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.627] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.627] GetProcessHeap () returned 0xa10000 [0253.627] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.627] GetProcessHeap () returned 0xa10000 [0253.627] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.627] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.635] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.635] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.635] GetProcessHeap () returned 0xa10000 [0253.635] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.636] GetProcessHeap () returned 0xa10000 [0253.636] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.636] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.636] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.651] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.652] GetProcessHeap () returned 0xa10000 [0253.652] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.652] GetProcessHeap () returned 0xa10000 [0253.652] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.652] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.670] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.670] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.671] GetProcessHeap () returned 0xa10000 [0253.671] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.671] GetProcessHeap () returned 0xa10000 [0253.671] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.672] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.680] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.680] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.681] GetProcessHeap () returned 0xa10000 [0253.681] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.681] GetProcessHeap () returned 0xa10000 [0253.681] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.681] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.681] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.689] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.690] GetProcessHeap () returned 0xa10000 [0253.690] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.690] GetProcessHeap () returned 0xa10000 [0253.690] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.690] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.690] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.706] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.706] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.706] GetProcessHeap () returned 0xa10000 [0253.706] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.706] GetProcessHeap () returned 0xa10000 [0253.706] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.706] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.707] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.724] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.724] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.724] GetProcessHeap () returned 0xa10000 [0253.724] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.724] GetProcessHeap () returned 0xa10000 [0253.725] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.725] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.725] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.735] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.735] GetProcessHeap () returned 0xa10000 [0253.735] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.735] GetProcessHeap () returned 0xa10000 [0253.735] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.735] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.744] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.744] GetProcessHeap () returned 0xa10000 [0253.744] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.744] GetProcessHeap () returned 0xa10000 [0253.744] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.745] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.791] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.792] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.792] GetProcessHeap () returned 0xa10000 [0253.792] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.792] GetProcessHeap () returned 0xa10000 [0253.792] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.792] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.792] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.933] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.934] GetProcessHeap () returned 0xa10000 [0253.934] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.934] GetProcessHeap () returned 0xa10000 [0253.934] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.935] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.946] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.947] GetProcessHeap () returned 0xa10000 [0253.947] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.947] GetProcessHeap () returned 0xa10000 [0253.947] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.947] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.979] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.980] GetProcessHeap () returned 0xa10000 [0253.980] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.980] GetProcessHeap () returned 0xa10000 [0253.980] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.980] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.980] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0253.989] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.989] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0253.990] GetProcessHeap () returned 0xa10000 [0253.990] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0253.990] GetProcessHeap () returned 0xa10000 [0253.990] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0253.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.990] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.026] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.026] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.028] GetProcessHeap () returned 0xa10000 [0254.028] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.028] GetProcessHeap () returned 0xa10000 [0254.028] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.028] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.028] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.073] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.074] GetProcessHeap () returned 0xa10000 [0254.074] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.074] GetProcessHeap () returned 0xa10000 [0254.074] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.074] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.082] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.083] GetProcessHeap () returned 0xa10000 [0254.083] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.083] GetProcessHeap () returned 0xa10000 [0254.083] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.083] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.092] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.092] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.093] GetProcessHeap () returned 0xa10000 [0254.093] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.093] GetProcessHeap () returned 0xa10000 [0254.093] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.093] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.093] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.103] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.103] GetProcessHeap () returned 0xa10000 [0254.103] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.103] GetProcessHeap () returned 0xa10000 [0254.103] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.104] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.160] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.160] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.161] GetProcessHeap () returned 0xa10000 [0254.161] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.161] GetProcessHeap () returned 0xa10000 [0254.161] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.161] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.161] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.171] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.172] GetProcessHeap () returned 0xa10000 [0254.172] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.172] GetProcessHeap () returned 0xa10000 [0254.172] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.172] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.172] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.181] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.181] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.181] GetProcessHeap () returned 0xa10000 [0254.181] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.182] GetProcessHeap () returned 0xa10000 [0254.182] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.182] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.217] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.217] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.218] GetProcessHeap () returned 0xa10000 [0254.218] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.218] GetProcessHeap () returned 0xa10000 [0254.218] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.218] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.235] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.236] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.236] GetProcessHeap () returned 0xa10000 [0254.236] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.236] GetProcessHeap () returned 0xa10000 [0254.236] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.236] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.236] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.245] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.245] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.245] GetProcessHeap () returned 0xa10000 [0254.245] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.245] GetProcessHeap () returned 0xa10000 [0254.245] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.245] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.245] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.270] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.274] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.275] GetProcessHeap () returned 0xa10000 [0254.275] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.275] GetProcessHeap () returned 0xa10000 [0254.275] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.275] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.275] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.283] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.283] GetProcessHeap () returned 0xa10000 [0254.283] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.283] GetProcessHeap () returned 0xa10000 [0254.283] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.284] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.305] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.305] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.305] GetProcessHeap () returned 0xa10000 [0254.306] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.306] GetProcessHeap () returned 0xa10000 [0254.306] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.306] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.306] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.315] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.315] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.316] GetProcessHeap () returned 0xa10000 [0254.316] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.316] GetProcessHeap () returned 0xa10000 [0254.316] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.316] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.316] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.327] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.327] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.328] GetProcessHeap () returned 0xa10000 [0254.328] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.328] GetProcessHeap () returned 0xa10000 [0254.328] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.328] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.328] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.349] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.349] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.349] GetProcessHeap () returned 0xa10000 [0254.349] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.349] GetProcessHeap () returned 0xa10000 [0254.349] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.350] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.350] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.368] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.369] GetProcessHeap () returned 0xa10000 [0254.369] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.369] GetProcessHeap () returned 0xa10000 [0254.369] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.369] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.369] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.405] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.405] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.405] GetProcessHeap () returned 0xa10000 [0254.405] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.406] GetProcessHeap () returned 0xa10000 [0254.406] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.406] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.406] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.415] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.415] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.416] GetProcessHeap () returned 0xa10000 [0254.416] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.416] GetProcessHeap () returned 0xa10000 [0254.416] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.416] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.416] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.424] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.424] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.425] GetProcessHeap () returned 0xa10000 [0254.425] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.425] GetProcessHeap () returned 0xa10000 [0254.425] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.425] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.426] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.479] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.479] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.481] GetProcessHeap () returned 0xa10000 [0254.481] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.481] GetProcessHeap () returned 0xa10000 [0254.481] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.481] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.481] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.512] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.512] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.513] GetProcessHeap () returned 0xa10000 [0254.513] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.513] GetProcessHeap () returned 0xa10000 [0254.513] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.513] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.513] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.521] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.521] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.521] GetProcessHeap () returned 0xa10000 [0254.521] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.521] GetProcessHeap () returned 0xa10000 [0254.521] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.522] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.530] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.530] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.530] GetProcessHeap () returned 0xa10000 [0254.530] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.530] GetProcessHeap () returned 0xa10000 [0254.530] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.531] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.531] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.576] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.576] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.577] GetProcessHeap () returned 0xa10000 [0254.577] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.577] GetProcessHeap () returned 0xa10000 [0254.577] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.577] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.577] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.669] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.669] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.670] GetProcessHeap () returned 0xa10000 [0254.670] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.670] GetProcessHeap () returned 0xa10000 [0254.670] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.670] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.670] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.683] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.684] GetProcessHeap () returned 0xa10000 [0254.684] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.684] GetProcessHeap () returned 0xa10000 [0254.684] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.684] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.684] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.716] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.716] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.716] GetProcessHeap () returned 0xa10000 [0254.716] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.716] GetProcessHeap () returned 0xa10000 [0254.717] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.717] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.717] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.727] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.727] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.727] GetProcessHeap () returned 0xa10000 [0254.727] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.727] GetProcessHeap () returned 0xa10000 [0254.727] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.727] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.727] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.744] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.745] GetProcessHeap () returned 0xa10000 [0254.745] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.745] GetProcessHeap () returned 0xa10000 [0254.745] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.745] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.745] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.770] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.770] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.771] GetProcessHeap () returned 0xa10000 [0254.771] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.771] GetProcessHeap () returned 0xa10000 [0254.771] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.771] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.771] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.781] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.781] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.782] GetProcessHeap () returned 0xa10000 [0254.782] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.782] GetProcessHeap () returned 0xa10000 [0254.782] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.782] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.782] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.792] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.792] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.793] GetProcessHeap () returned 0xa10000 [0254.793] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.793] GetProcessHeap () returned 0xa10000 [0254.793] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.793] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.793] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.822] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.822] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.823] GetProcessHeap () returned 0xa10000 [0254.823] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.823] GetProcessHeap () returned 0xa10000 [0254.823] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.823] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.832] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.833] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.833] GetProcessHeap () returned 0xa10000 [0254.833] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.833] GetProcessHeap () returned 0xa10000 [0254.833] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.833] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.833] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.843] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.843] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.844] GetProcessHeap () returned 0xa10000 [0254.844] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.844] GetProcessHeap () returned 0xa10000 [0254.844] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.844] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.844] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.853] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.853] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.854] GetProcessHeap () returned 0xa10000 [0254.854] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.854] GetProcessHeap () returned 0xa10000 [0254.854] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.854] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.854] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.923] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.924] GetProcessHeap () returned 0xa10000 [0254.924] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.924] GetProcessHeap () returned 0xa10000 [0254.924] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.925] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.934] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.935] GetProcessHeap () returned 0xa10000 [0254.935] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.935] GetProcessHeap () returned 0xa10000 [0254.935] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.935] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.935] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.946] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.947] GetProcessHeap () returned 0xa10000 [0254.947] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.947] GetProcessHeap () returned 0xa10000 [0254.947] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.947] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.962] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.962] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.962] GetProcessHeap () returned 0xa10000 [0254.962] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.962] GetProcessHeap () returned 0xa10000 [0254.963] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.963] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0254.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.990] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0254.991] GetProcessHeap () returned 0xa10000 [0254.991] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0254.991] GetProcessHeap () returned 0xa10000 [0254.991] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0254.991] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.992] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.001] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.001] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.001] GetProcessHeap () returned 0xa10000 [0255.002] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.002] GetProcessHeap () returned 0xa10000 [0255.002] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.002] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.002] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.021] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.022] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.022] GetProcessHeap () returned 0xa10000 [0255.022] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.022] GetProcessHeap () returned 0xa10000 [0255.022] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.022] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.022] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.030] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.030] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.031] GetProcessHeap () returned 0xa10000 [0255.031] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.031] GetProcessHeap () returned 0xa10000 [0255.031] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.031] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.031] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.041] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.041] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.041] GetProcessHeap () returned 0xa10000 [0255.041] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.041] GetProcessHeap () returned 0xa10000 [0255.041] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.041] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.041] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.078] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.078] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.078] GetProcessHeap () returned 0xa10000 [0255.078] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.078] GetProcessHeap () returned 0xa10000 [0255.078] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.078] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.079] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.088] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.088] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.089] GetProcessHeap () returned 0xa10000 [0255.089] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.089] GetProcessHeap () returned 0xa10000 [0255.089] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.089] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.098] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.099] GetProcessHeap () returned 0xa10000 [0255.099] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.099] GetProcessHeap () returned 0xa10000 [0255.099] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.099] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.108] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.108] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.109] GetProcessHeap () returned 0xa10000 [0255.109] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.109] GetProcessHeap () returned 0xa10000 [0255.109] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.109] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.109] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.127] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.127] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.127] GetProcessHeap () returned 0xa10000 [0255.127] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.127] GetProcessHeap () returned 0xa10000 [0255.127] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.128] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.128] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.136] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.136] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.137] GetProcessHeap () returned 0xa10000 [0255.137] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.137] GetProcessHeap () returned 0xa10000 [0255.137] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.137] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.137] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.146] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.146] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.147] GetProcessHeap () returned 0xa10000 [0255.147] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.147] GetProcessHeap () returned 0xa10000 [0255.147] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.147] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.147] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.157] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.157] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.158] GetProcessHeap () returned 0xa10000 [0255.158] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.158] GetProcessHeap () returned 0xa10000 [0255.158] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.158] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.181] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.181] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.182] GetProcessHeap () returned 0xa10000 [0255.182] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.182] GetProcessHeap () returned 0xa10000 [0255.182] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.182] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.191] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.191] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.192] GetProcessHeap () returned 0xa10000 [0255.192] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.192] GetProcessHeap () returned 0xa10000 [0255.192] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.192] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.192] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.201] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.201] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.201] GetProcessHeap () returned 0xa10000 [0255.202] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.202] GetProcessHeap () returned 0xa10000 [0255.202] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.202] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.202] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.213] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.214] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.214] GetProcessHeap () returned 0xa10000 [0255.214] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.214] GetProcessHeap () returned 0xa10000 [0255.214] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.214] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.214] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.231] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.232] GetProcessHeap () returned 0xa10000 [0255.232] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.232] GetProcessHeap () returned 0xa10000 [0255.232] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.232] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.232] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.241] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.241] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.242] GetProcessHeap () returned 0xa10000 [0255.242] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.242] GetProcessHeap () returned 0xa10000 [0255.242] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.242] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.242] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.256] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.256] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.256] GetProcessHeap () returned 0xa10000 [0255.257] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.257] GetProcessHeap () returned 0xa10000 [0255.257] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.257] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.257] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.266] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.266] GetProcessHeap () returned 0xa10000 [0255.266] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.266] GetProcessHeap () returned 0xa10000 [0255.266] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.266] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.345] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.346] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.347] GetProcessHeap () returned 0xa10000 [0255.347] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.363] GetProcessHeap () returned 0xa10000 [0255.363] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.363] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.370] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.370] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.370] GetProcessHeap () returned 0xa10000 [0255.370] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.370] GetProcessHeap () returned 0xa10000 [0255.370] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.370] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.370] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.384] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.384] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.384] GetProcessHeap () returned 0xa10000 [0255.384] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.384] GetProcessHeap () returned 0xa10000 [0255.384] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.384] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.384] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.393] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.393] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.394] GetProcessHeap () returned 0xa10000 [0255.394] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.394] GetProcessHeap () returned 0xa10000 [0255.394] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.394] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.394] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.447] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.449] GetProcessHeap () returned 0xa10000 [0255.449] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.449] GetProcessHeap () returned 0xa10000 [0255.449] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.449] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.449] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.514] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.514] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.514] GetProcessHeap () returned 0xa10000 [0255.514] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.514] GetProcessHeap () returned 0xa10000 [0255.514] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.514] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.514] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.523] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.523] GetProcessHeap () returned 0xa10000 [0255.523] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.523] GetProcessHeap () returned 0xa10000 [0255.523] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.523] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.533] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.533] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.534] GetProcessHeap () returned 0xa10000 [0255.534] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.534] GetProcessHeap () returned 0xa10000 [0255.534] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.534] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.534] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.543] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.543] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.543] GetProcessHeap () returned 0xa10000 [0255.543] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.543] GetProcessHeap () returned 0xa10000 [0255.543] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.544] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.544] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.594] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.595] GetProcessHeap () returned 0xa10000 [0255.595] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.595] GetProcessHeap () returned 0xa10000 [0255.595] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.595] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.595] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.602] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.602] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.603] GetProcessHeap () returned 0xa10000 [0255.603] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.603] GetProcessHeap () returned 0xa10000 [0255.603] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.603] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.611] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.611] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.611] GetProcessHeap () returned 0xa10000 [0255.611] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.611] GetProcessHeap () returned 0xa10000 [0255.611] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.611] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.611] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.619] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.619] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.620] GetProcessHeap () returned 0xa10000 [0255.620] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.620] GetProcessHeap () returned 0xa10000 [0255.620] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.620] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.620] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.671] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.672] GetProcessHeap () returned 0xa10000 [0255.672] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.672] GetProcessHeap () returned 0xa10000 [0255.672] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.672] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.672] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.679] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.679] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.680] GetProcessHeap () returned 0xa10000 [0255.680] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.680] GetProcessHeap () returned 0xa10000 [0255.680] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.680] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.680] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.687] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.687] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.687] GetProcessHeap () returned 0xa10000 [0255.687] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.687] GetProcessHeap () returned 0xa10000 [0255.687] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.688] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.688] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.696] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.696] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.696] GetProcessHeap () returned 0xa10000 [0255.696] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.696] GetProcessHeap () returned 0xa10000 [0255.696] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.696] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.696] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.721] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.722] GetProcessHeap () returned 0xa10000 [0255.722] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.722] GetProcessHeap () returned 0xa10000 [0255.722] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.722] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.722] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.729] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.729] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.730] GetProcessHeap () returned 0xa10000 [0255.730] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.730] GetProcessHeap () returned 0xa10000 [0255.730] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.730] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.730] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.737] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.737] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.738] GetProcessHeap () returned 0xa10000 [0255.738] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.738] GetProcessHeap () returned 0xa10000 [0255.738] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.738] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.738] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.745] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.745] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.746] GetProcessHeap () returned 0xa10000 [0255.746] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.746] GetProcessHeap () returned 0xa10000 [0255.746] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.746] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.746] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.763] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.764] GetProcessHeap () returned 0xa10000 [0255.764] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.764] GetProcessHeap () returned 0xa10000 [0255.764] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.765] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.765] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.775] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.775] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.776] GetProcessHeap () returned 0xa10000 [0255.776] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.776] GetProcessHeap () returned 0xa10000 [0255.776] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.776] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.776] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.786] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.786] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.787] GetProcessHeap () returned 0xa10000 [0255.787] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.787] GetProcessHeap () returned 0xa10000 [0255.787] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.787] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.787] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.812] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.812] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.813] GetProcessHeap () returned 0xa10000 [0255.813] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.813] GetProcessHeap () returned 0xa10000 [0255.813] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.813] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.813] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.838] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.838] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.839] GetProcessHeap () returned 0xa10000 [0255.839] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.839] GetProcessHeap () returned 0xa10000 [0255.839] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.839] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.839] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.848] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.848] GetProcessHeap () returned 0xa10000 [0255.848] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.848] GetProcessHeap () returned 0xa10000 [0255.848] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.848] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.859] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.859] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.860] GetProcessHeap () returned 0xa10000 [0255.860] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.860] GetProcessHeap () returned 0xa10000 [0255.860] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.860] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.860] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.906] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.906] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.907] GetProcessHeap () returned 0xa10000 [0255.907] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.907] GetProcessHeap () returned 0xa10000 [0255.907] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.907] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.907] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.916] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.916] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.917] GetProcessHeap () returned 0xa10000 [0255.917] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.917] GetProcessHeap () returned 0xa10000 [0255.917] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.917] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.917] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.939] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.939] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.940] GetProcessHeap () returned 0xa10000 [0255.940] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.940] GetProcessHeap () returned 0xa10000 [0255.940] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.940] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.940] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.952] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.952] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.953] GetProcessHeap () returned 0xa10000 [0255.953] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.953] GetProcessHeap () returned 0xa10000 [0255.953] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.953] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.953] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.962] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.962] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.963] GetProcessHeap () returned 0xa10000 [0255.963] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.963] GetProcessHeap () returned 0xa10000 [0255.963] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.963] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.973] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.974] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.974] GetProcessHeap () returned 0xa10000 [0255.974] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.974] GetProcessHeap () returned 0xa10000 [0255.974] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.974] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.975] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0255.995] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.995] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0255.996] GetProcessHeap () returned 0xa10000 [0255.996] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0255.996] GetProcessHeap () returned 0xa10000 [0255.996] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0255.996] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.997] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.010] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.010] GetProcessHeap () returned 0xa10000 [0256.010] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.010] GetProcessHeap () returned 0xa10000 [0256.010] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.010] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.020] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.020] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.021] GetProcessHeap () returned 0xa10000 [0256.021] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.021] GetProcessHeap () returned 0xa10000 [0256.021] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.021] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.021] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.048] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.048] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.048] GetProcessHeap () returned 0xa10000 [0256.048] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.048] GetProcessHeap () returned 0xa10000 [0256.048] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.049] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.049] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.068] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.068] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.069] GetProcessHeap () returned 0xa10000 [0256.069] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.070] GetProcessHeap () returned 0xa10000 [0256.070] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.070] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.070] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.079] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.079] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.080] GetProcessHeap () returned 0xa10000 [0256.080] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.080] GetProcessHeap () returned 0xa10000 [0256.080] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.080] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.089] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.090] GetProcessHeap () returned 0xa10000 [0256.090] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.090] GetProcessHeap () returned 0xa10000 [0256.090] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.090] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.120] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.120] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.121] GetProcessHeap () returned 0xa10000 [0256.121] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.121] GetProcessHeap () returned 0xa10000 [0256.121] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.121] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.121] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.174] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.174] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.176] GetProcessHeap () returned 0xa10000 [0256.176] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.176] GetProcessHeap () returned 0xa10000 [0256.176] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.176] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.176] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.185] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.185] GetProcessHeap () returned 0xa10000 [0256.185] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.185] GetProcessHeap () returned 0xa10000 [0256.185] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.186] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.221] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.221] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.222] GetProcessHeap () returned 0xa10000 [0256.222] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.222] GetProcessHeap () returned 0xa10000 [0256.222] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.222] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.222] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.232] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.232] GetProcessHeap () returned 0xa10000 [0256.232] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.232] GetProcessHeap () returned 0xa10000 [0256.232] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.232] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.232] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.339] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.339] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.341] GetProcessHeap () returned 0xa10000 [0256.341] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.341] GetProcessHeap () returned 0xa10000 [0256.341] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.341] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.341] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.402] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.402] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.403] GetProcessHeap () returned 0xa10000 [0256.403] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.403] GetProcessHeap () returned 0xa10000 [0256.403] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.403] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.412] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.412] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.413] GetProcessHeap () returned 0xa10000 [0256.413] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.413] GetProcessHeap () returned 0xa10000 [0256.413] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.413] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.413] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.422] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.423] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.423] GetProcessHeap () returned 0xa10000 [0256.423] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.423] GetProcessHeap () returned 0xa10000 [0256.423] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.423] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.423] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.433] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.433] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.434] GetProcessHeap () returned 0xa10000 [0256.434] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.434] GetProcessHeap () returned 0xa10000 [0256.434] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.434] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.434] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.514] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.514] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.514] GetProcessHeap () returned 0xa10000 [0256.514] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.514] GetProcessHeap () returned 0xa10000 [0256.514] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.515] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.515] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.524] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.524] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.525] GetProcessHeap () returned 0xa10000 [0256.525] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.525] GetProcessHeap () returned 0xa10000 [0256.525] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.525] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.525] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.570] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.570] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.571] GetProcessHeap () returned 0xa10000 [0256.571] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.571] GetProcessHeap () returned 0xa10000 [0256.571] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.571] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.583] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.584] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.584] GetProcessHeap () returned 0xa10000 [0256.584] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.584] GetProcessHeap () returned 0xa10000 [0256.584] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.584] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.584] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.740] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.740] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.740] GetProcessHeap () returned 0xa10000 [0256.740] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.740] GetProcessHeap () returned 0xa10000 [0256.740] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.740] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.741] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.749] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.749] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.749] GetProcessHeap () returned 0xa10000 [0256.749] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.750] GetProcessHeap () returned 0xa10000 [0256.750] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.750] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.786] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.786] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.786] GetProcessHeap () returned 0xa10000 [0256.786] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.786] GetProcessHeap () returned 0xa10000 [0256.786] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.786] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.786] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.796] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.796] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.797] GetProcessHeap () returned 0xa10000 [0256.797] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.797] GetProcessHeap () returned 0xa10000 [0256.797] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.797] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.797] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.837] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.837] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.839] GetProcessHeap () returned 0xa10000 [0256.839] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.839] GetProcessHeap () returned 0xa10000 [0256.839] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.839] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.839] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.861] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.861] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.862] GetProcessHeap () returned 0xa10000 [0256.862] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.862] GetProcessHeap () returned 0xa10000 [0256.862] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.862] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.948] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.948] GetProcessHeap () returned 0xa10000 [0256.948] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.948] GetProcessHeap () returned 0xa10000 [0256.948] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.948] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.955] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.955] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.956] GetProcessHeap () returned 0xa10000 [0256.956] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.956] GetProcessHeap () returned 0xa10000 [0256.956] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.956] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.956] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.983] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.984] GetProcessHeap () returned 0xa10000 [0256.984] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.984] GetProcessHeap () returned 0xa10000 [0256.984] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.984] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.984] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0256.991] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.991] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0256.991] GetProcessHeap () returned 0xa10000 [0256.991] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0256.991] GetProcessHeap () returned 0xa10000 [0256.991] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0256.991] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0256.991] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.010] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.011] GetProcessHeap () returned 0xa10000 [0257.011] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.011] GetProcessHeap () returned 0xa10000 [0257.011] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.011] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.017] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.017] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.018] GetProcessHeap () returned 0xa10000 [0257.018] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.018] GetProcessHeap () returned 0xa10000 [0257.018] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.018] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.018] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.073] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.074] GetProcessHeap () returned 0xa10000 [0257.074] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.074] GetProcessHeap () returned 0xa10000 [0257.074] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.074] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.082] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.083] GetProcessHeap () returned 0xa10000 [0257.083] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.083] GetProcessHeap () returned 0xa10000 [0257.083] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.083] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.091] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.091] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.092] GetProcessHeap () returned 0xa10000 [0257.092] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.092] GetProcessHeap () returned 0xa10000 [0257.092] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.092] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.092] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.101] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.101] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.102] GetProcessHeap () returned 0xa10000 [0257.102] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.102] GetProcessHeap () returned 0xa10000 [0257.102] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.102] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.102] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.108] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.108] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.109] GetProcessHeap () returned 0xa10000 [0257.109] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.109] GetProcessHeap () returned 0xa10000 [0257.109] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.109] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.109] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0257.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.921] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0257.922] GetProcessHeap () returned 0xa10000 [0257.922] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0257.922] GetProcessHeap () returned 0xa10000 [0257.922] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0257.922] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0257.922] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0258.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.644] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0258.644] GetProcessHeap () returned 0xa10000 [0258.644] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0258.645] GetProcessHeap () returned 0xa10000 [0258.645] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0258.646] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.646] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0258.922] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.922] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0258.923] GetProcessHeap () returned 0xa10000 [0258.923] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0258.923] GetProcessHeap () returned 0xa10000 [0258.923] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0258.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.923] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0258.962] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.962] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0258.963] GetProcessHeap () returned 0xa10000 [0258.963] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0258.963] GetProcessHeap () returned 0xa10000 [0258.963] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0258.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.963] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0258.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0258.999] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.000] GetProcessHeap () returned 0xa10000 [0259.000] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.000] GetProcessHeap () returned 0xa10000 [0259.000] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.000] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.007] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.007] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.008] GetProcessHeap () returned 0xa10000 [0259.008] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.008] GetProcessHeap () returned 0xa10000 [0259.008] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.008] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.008] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.023] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.023] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.024] GetProcessHeap () returned 0xa10000 [0259.024] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.024] GetProcessHeap () returned 0xa10000 [0259.024] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.024] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.052] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.052] GetProcessHeap () returned 0xa10000 [0259.052] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.052] GetProcessHeap () returned 0xa10000 [0259.053] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.053] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.053] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.067] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.067] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.067] GetProcessHeap () returned 0xa10000 [0259.067] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.067] GetProcessHeap () returned 0xa10000 [0259.067] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.067] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.068] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.149] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.149] GetProcessHeap () returned 0xa10000 [0259.149] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.149] GetProcessHeap () returned 0xa10000 [0259.149] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.149] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.182] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.183] GetProcessHeap () returned 0xa10000 [0259.183] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.183] GetProcessHeap () returned 0xa10000 [0259.183] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.183] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.193] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.193] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.193] GetProcessHeap () returned 0xa10000 [0259.193] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.193] GetProcessHeap () returned 0xa10000 [0259.193] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.193] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.194] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.221] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.221] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.222] GetProcessHeap () returned 0xa10000 [0259.222] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.222] GetProcessHeap () returned 0xa10000 [0259.222] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.222] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.222] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.230] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.230] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.231] GetProcessHeap () returned 0xa10000 [0259.231] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.231] GetProcessHeap () returned 0xa10000 [0259.231] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.231] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.239] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.239] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.240] GetProcessHeap () returned 0xa10000 [0259.240] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.240] GetProcessHeap () returned 0xa10000 [0259.240] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.240] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.240] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.250] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.250] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.251] GetProcessHeap () returned 0xa10000 [0259.251] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.251] GetProcessHeap () returned 0xa10000 [0259.251] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.251] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.251] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.271] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.271] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.272] GetProcessHeap () returned 0xa10000 [0259.272] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.272] GetProcessHeap () returned 0xa10000 [0259.272] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.272] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.272] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.280] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.280] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.281] GetProcessHeap () returned 0xa10000 [0259.281] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.281] GetProcessHeap () returned 0xa10000 [0259.281] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.281] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.281] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.288] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.288] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.288] GetProcessHeap () returned 0xa10000 [0259.288] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.288] GetProcessHeap () returned 0xa10000 [0259.288] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.289] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.289] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.326] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.326] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.326] GetProcessHeap () returned 0xa10000 [0259.326] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.326] GetProcessHeap () returned 0xa10000 [0259.326] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.326] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.327] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.334] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.334] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.335] GetProcessHeap () returned 0xa10000 [0259.335] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.335] GetProcessHeap () returned 0xa10000 [0259.335] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.335] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.335] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.354] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.355] GetProcessHeap () returned 0xa10000 [0259.355] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.355] GetProcessHeap () returned 0xa10000 [0259.355] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.355] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.373] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.373] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.373] GetProcessHeap () returned 0xa10000 [0259.373] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.373] GetProcessHeap () returned 0xa10000 [0259.373] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.373] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.373] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.382] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.382] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.383] GetProcessHeap () returned 0xa10000 [0259.383] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.383] GetProcessHeap () returned 0xa10000 [0259.383] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.383] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.383] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.391] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.391] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.392] GetProcessHeap () returned 0xa10000 [0259.392] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.392] GetProcessHeap () returned 0xa10000 [0259.392] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.392] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.392] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.407] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.407] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.408] GetProcessHeap () returned 0xa10000 [0259.408] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.408] GetProcessHeap () returned 0xa10000 [0259.408] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.408] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.408] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.418] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.418] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.418] GetProcessHeap () returned 0xa10000 [0259.418] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.418] GetProcessHeap () returned 0xa10000 [0259.418] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.419] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.419] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.427] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.427] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.427] GetProcessHeap () returned 0xa10000 [0259.427] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.427] GetProcessHeap () returned 0xa10000 [0259.427] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.427] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.427] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.435] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.435] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.436] GetProcessHeap () returned 0xa10000 [0259.436] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.436] GetProcessHeap () returned 0xa10000 [0259.436] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.436] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.436] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.453] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.453] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.454] GetProcessHeap () returned 0xa10000 [0259.454] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.454] GetProcessHeap () returned 0xa10000 [0259.454] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.454] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.454] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.461] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.461] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.462] GetProcessHeap () returned 0xa10000 [0259.462] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.462] GetProcessHeap () returned 0xa10000 [0259.462] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.462] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.462] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.470] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.470] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.470] GetProcessHeap () returned 0xa10000 [0259.470] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.470] GetProcessHeap () returned 0xa10000 [0259.470] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.470] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.470] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.478] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.479] GetProcessHeap () returned 0xa10000 [0259.479] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.479] GetProcessHeap () returned 0xa10000 [0259.479] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.479] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.479] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.495] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.496] GetProcessHeap () returned 0xa10000 [0259.496] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.496] GetProcessHeap () returned 0xa10000 [0259.496] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.496] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.496] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.523] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.524] GetProcessHeap () returned 0xa10000 [0259.524] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.524] GetProcessHeap () returned 0xa10000 [0259.524] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.524] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.524] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.532] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.533] GetProcessHeap () returned 0xa10000 [0259.533] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.533] GetProcessHeap () returned 0xa10000 [0259.533] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.533] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.533] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.540] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.541] GetProcessHeap () returned 0xa10000 [0259.541] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.541] GetProcessHeap () returned 0xa10000 [0259.541] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.541] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.541] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.559] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.561] GetProcessHeap () returned 0xa10000 [0259.561] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.561] GetProcessHeap () returned 0xa10000 [0259.561] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.561] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.561] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.568] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.568] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.569] GetProcessHeap () returned 0xa10000 [0259.569] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.569] GetProcessHeap () returned 0xa10000 [0259.569] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.569] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.569] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.577] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.577] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.578] GetProcessHeap () returned 0xa10000 [0259.578] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.578] GetProcessHeap () returned 0xa10000 [0259.578] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.578] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.578] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.585] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.586] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.586] GetProcessHeap () returned 0xa10000 [0259.586] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.586] GetProcessHeap () returned 0xa10000 [0259.586] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.586] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.595] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.596] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.596] GetProcessHeap () returned 0xa10000 [0259.596] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.596] GetProcessHeap () returned 0xa10000 [0259.596] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.596] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.613] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.614] GetProcessHeap () returned 0xa10000 [0259.614] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.614] GetProcessHeap () returned 0xa10000 [0259.614] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.614] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.614] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.626] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.626] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.626] GetProcessHeap () returned 0xa10000 [0259.626] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.626] GetProcessHeap () returned 0xa10000 [0259.626] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.626] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.627] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.634] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.635] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.635] GetProcessHeap () returned 0xa10000 [0259.635] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.635] GetProcessHeap () returned 0xa10000 [0259.635] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.635] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.635] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.644] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.644] GetProcessHeap () returned 0xa10000 [0259.644] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.644] GetProcessHeap () returned 0xa10000 [0259.644] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.644] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.644] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.662] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.662] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.663] GetProcessHeap () returned 0xa10000 [0259.663] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.663] GetProcessHeap () returned 0xa10000 [0259.663] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.663] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.663] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.671] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.671] GetProcessHeap () returned 0xa10000 [0259.671] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.671] GetProcessHeap () returned 0xa10000 [0259.671] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.671] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.680] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.680] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.681] GetProcessHeap () returned 0xa10000 [0259.681] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.681] GetProcessHeap () returned 0xa10000 [0259.681] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.681] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.681] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.690] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.690] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.691] GetProcessHeap () returned 0xa10000 [0259.691] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.691] GetProcessHeap () returned 0xa10000 [0259.691] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.691] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.691] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.705] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.706] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.706] GetProcessHeap () returned 0xa10000 [0259.706] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.706] GetProcessHeap () returned 0xa10000 [0259.706] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.706] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.706] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.713] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.713] GetProcessHeap () returned 0xa10000 [0259.713] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.713] GetProcessHeap () returned 0xa10000 [0259.713] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.713] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.725] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.725] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.726] GetProcessHeap () returned 0xa10000 [0259.726] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.726] GetProcessHeap () returned 0xa10000 [0259.726] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.726] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.726] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.734] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.734] GetProcessHeap () returned 0xa10000 [0259.734] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.734] GetProcessHeap () returned 0xa10000 [0259.734] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.734] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.751] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.751] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.752] GetProcessHeap () returned 0xa10000 [0259.752] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.752] GetProcessHeap () returned 0xa10000 [0259.752] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.752] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.752] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.761] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.761] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.762] GetProcessHeap () returned 0xa10000 [0259.762] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.762] GetProcessHeap () returned 0xa10000 [0259.762] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.762] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.762] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.770] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.770] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.771] GetProcessHeap () returned 0xa10000 [0259.771] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.771] GetProcessHeap () returned 0xa10000 [0259.771] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.771] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.771] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.780] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.780] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.780] GetProcessHeap () returned 0xa10000 [0259.780] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.780] GetProcessHeap () returned 0xa10000 [0259.780] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.781] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.781] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.796] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.797] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.798] GetProcessHeap () returned 0xa10000 [0259.798] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.798] GetProcessHeap () returned 0xa10000 [0259.798] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.798] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.798] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.806] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.806] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.806] GetProcessHeap () returned 0xa10000 [0259.806] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.807] GetProcessHeap () returned 0xa10000 [0259.807] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.807] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.807] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.815] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.815] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.816] GetProcessHeap () returned 0xa10000 [0259.816] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.816] GetProcessHeap () returned 0xa10000 [0259.816] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.816] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.816] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.826] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.826] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.827] GetProcessHeap () returned 0xa10000 [0259.827] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.827] GetProcessHeap () returned 0xa10000 [0259.827] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.827] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.827] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.835] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.835] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.836] GetProcessHeap () returned 0xa10000 [0259.836] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.836] GetProcessHeap () returned 0xa10000 [0259.836] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.836] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.836] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.854] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.854] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.854] GetProcessHeap () returned 0xa10000 [0259.854] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.854] GetProcessHeap () returned 0xa10000 [0259.855] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.855] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.855] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.863] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.863] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.864] GetProcessHeap () returned 0xa10000 [0259.864] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.864] GetProcessHeap () returned 0xa10000 [0259.864] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.864] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.864] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.875] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.875] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.876] GetProcessHeap () returned 0xa10000 [0259.876] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.876] GetProcessHeap () returned 0xa10000 [0259.876] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.876] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.876] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.886] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.887] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.887] GetProcessHeap () returned 0xa10000 [0259.887] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.887] GetProcessHeap () returned 0xa10000 [0259.887] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.887] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.887] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.932] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.932] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.932] GetProcessHeap () returned 0xa10000 [0259.932] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.932] GetProcessHeap () returned 0xa10000 [0259.932] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.932] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.933] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.940] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.940] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.941] GetProcessHeap () returned 0xa10000 [0259.941] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.941] GetProcessHeap () returned 0xa10000 [0259.941] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.941] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.941] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.958] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.959] GetProcessHeap () returned 0xa10000 [0259.959] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.959] GetProcessHeap () returned 0xa10000 [0259.959] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.959] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.959] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.968] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.969] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.969] GetProcessHeap () returned 0xa10000 [0259.969] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.969] GetProcessHeap () returned 0xa10000 [0259.969] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.969] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.988] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.988] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0259.989] GetProcessHeap () returned 0xa10000 [0259.989] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0259.989] GetProcessHeap () returned 0xa10000 [0259.989] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0259.989] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.989] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0259.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0259.999] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.000] GetProcessHeap () returned 0xa10000 [0260.000] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.000] GetProcessHeap () returned 0xa10000 [0260.000] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.000] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.010] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.010] GetProcessHeap () returned 0xa10000 [0260.011] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.011] GetProcessHeap () returned 0xa10000 [0260.011] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.011] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.020] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.021] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.021] GetProcessHeap () returned 0xa10000 [0260.021] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.021] GetProcessHeap () returned 0xa10000 [0260.021] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.021] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.022] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.039] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.039] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.040] GetProcessHeap () returned 0xa10000 [0260.040] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.040] GetProcessHeap () returned 0xa10000 [0260.040] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.041] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.052] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.052] GetProcessHeap () returned 0xa10000 [0260.052] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.052] GetProcessHeap () returned 0xa10000 [0260.052] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.052] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.062] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.062] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.063] GetProcessHeap () returned 0xa10000 [0260.063] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.063] GetProcessHeap () returned 0xa10000 [0260.063] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.063] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.063] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.073] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.073] GetProcessHeap () returned 0xa10000 [0260.073] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.073] GetProcessHeap () returned 0xa10000 [0260.073] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.074] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.098] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.101] GetProcessHeap () returned 0xa10000 [0260.101] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.101] GetProcessHeap () returned 0xa10000 [0260.101] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.101] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa12bc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.102] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.118] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa12bc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.118] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.119] GetProcessHeap () returned 0xa10000 [0260.120] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.120] GetProcessHeap () returned 0xa10000 [0260.120] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.120] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa168cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.120] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.134] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa168cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.134] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.135] GetProcessHeap () returned 0xa10000 [0260.135] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.135] GetProcessHeap () returned 0xa10000 [0260.135] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.135] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1a5d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.135] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.162] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1a5d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.162] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.163] GetProcessHeap () returned 0xa10000 [0260.163] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.163] GetProcessHeap () returned 0xa10000 [0260.163] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.163] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1e2df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.163] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.180] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1e2df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.180] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.182] GetProcessHeap () returned 0xa10000 [0260.182] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.182] GetProcessHeap () returned 0xa10000 [0260.182] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa21fe80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.182] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.191] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa21fe80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.191] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.192] GetProcessHeap () returned 0xa10000 [0260.192] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.192] GetProcessHeap () returned 0xa10000 [0260.192] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.192] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa25cf10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.192] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.202] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa25cf10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.202] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.203] GetProcessHeap () returned 0xa10000 [0260.203] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.203] GetProcessHeap () returned 0xa10000 [0260.203] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.203] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa299fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.203] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.213] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa299fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.213] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.214] GetProcessHeap () returned 0xa10000 [0260.214] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.214] GetProcessHeap () returned 0xa10000 [0260.214] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.214] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa2d7030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.214] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.223] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa2d7030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.224] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.224] GetProcessHeap () returned 0xa10000 [0260.224] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.224] GetProcessHeap () returned 0xa10000 [0260.224] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.224] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3140c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.224] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.243] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3140c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.243] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.243] GetProcessHeap () returned 0xa10000 [0260.243] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.243] GetProcessHeap () returned 0xa10000 [0260.243] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.243] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa351150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.244] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.254] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa351150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.254] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.255] GetProcessHeap () returned 0xa10000 [0260.255] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.255] GetProcessHeap () returned 0xa10000 [0260.255] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.255] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa38e1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.255] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.265] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa38e1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.265] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.265] GetProcessHeap () returned 0xa10000 [0260.265] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.265] GetProcessHeap () returned 0xa10000 [0260.265] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.265] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3cb270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.266] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.275] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3cb270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.275] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.276] GetProcessHeap () returned 0xa10000 [0260.276] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.276] GetProcessHeap () returned 0xa10000 [0260.276] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.276] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa408300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.276] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.294] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa408300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.294] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.295] GetProcessHeap () returned 0xa10000 [0260.295] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.295] GetProcessHeap () returned 0xa10000 [0260.295] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.295] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa445390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.295] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.304] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa445390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.304] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.305] GetProcessHeap () returned 0xa10000 [0260.305] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.305] GetProcessHeap () returned 0xa10000 [0260.305] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.305] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa482420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.305] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.315] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa482420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.315] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.316] GetProcessHeap () returned 0xa10000 [0260.316] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.316] GetProcessHeap () returned 0xa10000 [0260.316] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.316] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4bf4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.316] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.329] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4bf4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.329] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.329] GetProcessHeap () returned 0xa10000 [0260.329] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.330] GetProcessHeap () returned 0xa10000 [0260.330] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.330] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4fc540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.330] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.348] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4fc540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.348] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.349] GetProcessHeap () returned 0xa10000 [0260.349] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.349] GetProcessHeap () returned 0xa10000 [0260.349] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.349] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5395d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.350] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.360] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5395d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.360] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.360] GetProcessHeap () returned 0xa10000 [0260.360] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.360] GetProcessHeap () returned 0xa10000 [0260.360] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.360] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa576660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.361] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.370] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa576660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.370] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.371] GetProcessHeap () returned 0xa10000 [0260.371] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.371] GetProcessHeap () returned 0xa10000 [0260.371] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.371] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5b36f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.371] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.382] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5b36f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.382] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.383] GetProcessHeap () returned 0xa10000 [0260.383] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.383] GetProcessHeap () returned 0xa10000 [0260.383] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.383] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5f0780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.383] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.401] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5f0780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.401] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.402] GetProcessHeap () returned 0xa10000 [0260.402] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.403] GetProcessHeap () returned 0xa10000 [0260.403] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa62d810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.403] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.412] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa62d810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.412] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.413] GetProcessHeap () returned 0xa10000 [0260.413] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.413] GetProcessHeap () returned 0xa10000 [0260.413] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.413] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa66a8a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.413] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.425] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa66a8a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.425] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.426] GetProcessHeap () returned 0xa10000 [0260.426] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.426] GetProcessHeap () returned 0xa10000 [0260.426] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.426] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6a7930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.426] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.436] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6a7930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.436] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.437] GetProcessHeap () returned 0xa10000 [0260.437] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.437] GetProcessHeap () returned 0xa10000 [0260.437] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.437] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6e49c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.437] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.459] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6e49c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.459] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.460] GetProcessHeap () returned 0xa10000 [0260.460] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.460] GetProcessHeap () returned 0xa10000 [0260.460] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.460] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa721a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.460] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.473] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa721a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.473] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.473] GetProcessHeap () returned 0xa10000 [0260.473] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.473] GetProcessHeap () returned 0xa10000 [0260.473] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.473] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa75eae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.473] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.483] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa75eae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.483] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.484] GetProcessHeap () returned 0xa10000 [0260.484] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.484] GetProcessHeap () returned 0xa10000 [0260.484] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa79bb70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.484] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa79bb70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.494] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.494] GetProcessHeap () returned 0xa10000 [0260.494] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.494] GetProcessHeap () returned 0xa10000 [0260.494] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.494] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.531] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.531] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.531] GetProcessHeap () returned 0xa10000 [0260.532] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.532] GetProcessHeap () returned 0xa10000 [0260.532] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa815c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.532] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.550] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa815c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.550] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.550] GetProcessHeap () returned 0xa10000 [0260.550] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.551] GetProcessHeap () returned 0xa10000 [0260.551] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.551] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa852d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.551] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa852d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.558] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.559] GetProcessHeap () returned 0xa10000 [0260.559] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.561] GetProcessHeap () returned 0xa10000 [0260.562] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.562] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa88fdb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.562] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa88fdb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.571] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.572] GetProcessHeap () returned 0xa10000 [0260.572] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.572] GetProcessHeap () returned 0xa10000 [0260.572] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa8cce40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.572] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.582] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa8cce40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.582] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.583] GetProcessHeap () returned 0xa10000 [0260.583] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.583] GetProcessHeap () returned 0xa10000 [0260.583] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.583] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa909ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.583] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.598] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa909ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.598] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.599] GetProcessHeap () returned 0xa10000 [0260.599] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.599] GetProcessHeap () returned 0xa10000 [0260.599] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.599] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa946f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.599] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.629] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa946f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.629] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.630] GetProcessHeap () returned 0xa10000 [0260.630] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.630] GetProcessHeap () returned 0xa10000 [0260.630] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.630] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa983ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.630] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.640] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa983ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.640] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.641] GetProcessHeap () returned 0xa10000 [0260.641] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.641] GetProcessHeap () returned 0xa10000 [0260.641] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.641] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9c1080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.641] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9c1080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.651] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.652] GetProcessHeap () returned 0xa10000 [0260.652] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.652] GetProcessHeap () returned 0xa10000 [0260.652] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9fe110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.652] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.670] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9fe110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.670] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.672] GetProcessHeap () returned 0xa10000 [0260.672] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.672] GetProcessHeap () returned 0xa10000 [0260.672] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.673] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa3b1a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.673] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.682] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa3b1a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.682] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.683] GetProcessHeap () returned 0xa10000 [0260.683] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.683] GetProcessHeap () returned 0xa10000 [0260.683] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa78230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.683] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.693] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa78230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.693] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.694] GetProcessHeap () returned 0xa10000 [0260.694] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.694] GetProcessHeap () returned 0xa10000 [0260.694] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.694] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaab52c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.694] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.703] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaab52c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.703] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.704] GetProcessHeap () returned 0xa10000 [0260.704] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.704] GetProcessHeap () returned 0xa10000 [0260.704] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaaf2350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.704] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.722] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaaf2350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.722] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.724] GetProcessHeap () returned 0xa10000 [0260.724] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.724] GetProcessHeap () returned 0xa10000 [0260.724] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.724] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab2f3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.724] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab2f3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.735] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.736] GetProcessHeap () returned 0xa10000 [0260.736] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.736] GetProcessHeap () returned 0xa10000 [0260.736] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.736] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab6c470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.736] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.746] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab6c470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.746] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.748] GetProcessHeap () returned 0xa10000 [0260.748] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.748] GetProcessHeap () returned 0xa10000 [0260.748] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.748] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba9500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.748] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.758] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba9500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.758] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.759] GetProcessHeap () returned 0xa10000 [0260.759] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.759] GetProcessHeap () returned 0xa10000 [0260.759] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.759] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xabe6590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.759] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.779] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xabe6590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.779] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.781] GetProcessHeap () returned 0xa10000 [0260.781] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.781] GetProcessHeap () returned 0xa10000 [0260.781] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.781] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac23620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.781] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.792] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac23620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.792] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.793] GetProcessHeap () returned 0xa10000 [0260.793] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.793] GetProcessHeap () returned 0xa10000 [0260.793] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.793] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac606b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.793] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.810] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac606b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.811] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.811] GetProcessHeap () returned 0xa10000 [0260.811] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.811] GetProcessHeap () returned 0xa10000 [0260.811] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3b688 [0260.812] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac9d740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.812] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x1e848, lpOverlapped=0x0) returned 1 [0260.822] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac9d740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0260.822] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x1e848, lpOverlapped=0x0) returned 1 [0260.822] GetProcessHeap () returned 0xa10000 [0260.822] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0260.823] CloseHandle (hObject=0x260) returned 1 [0261.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1410 | out: hHeap=0x28d0000) returned 1 [0261.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0261.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0261.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f8 | out: hHeap=0x28d0000) returned 1 [0261.326] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0261.369] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.nefilim")) returned 1 [0261.370] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0261.370] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0261.387] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0261.423] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2=".") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="..") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="...") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="windows") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="rsa") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="NTDETECT.COM") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="ntldr") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="MSDOS.SYS") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="IO.SYS") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="boot.ini") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="ntuser.dat") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="desktop.ini") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="CONFIG.SYS") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="RECYCLER") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="bootmgr") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="programdata") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="appdata") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="program files") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="program files (x86)") returned -1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="microsoft") returned 1 [0261.424] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="sophos") returned -1 [0261.424] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1388 [0261.424] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0261.440] PathFindExtensionW (pszPath="netfx_Core_x64.msi") returned=".msi" [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0261.513] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0261.513] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2=".") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="..") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="...") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="windows") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="rsa") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="NTDETECT.COM") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="ntldr") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="MSDOS.SYS") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="IO.SYS") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="boot.ini") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="ntuser.dat") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="desktop.ini") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="CONFIG.SYS") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="RECYCLER") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="bootmgr") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="programdata") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="appdata") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="program files") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="program files (x86)") returned -1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="microsoft") returned 1 [0261.514] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="sophos") returned -1 [0261.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13f0 [0261.515] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0261.515] PathFindExtensionW (pszPath="netfx_Core_x86.msi") returned=".msi" [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0261.515] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0261.515] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0261.515] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2=".") returned 1 [0261.515] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="..") returned 1 [0261.515] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="...") returned 1 [0261.515] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="windows") returned -1 [0261.515] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="$RECYCLE.BIN") returned 1 [0261.515] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="rsa") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="NTDETECT.COM") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="ntldr") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="MSDOS.SYS") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="IO.SYS") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="boot.ini") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="AUTOEXEC.BAT") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="ntuser.dat") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="desktop.ini") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="CONFIG.SYS") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="RECYCLER") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="BOOTSECT.BAK") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="bootmgr") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="programdata") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="appdata") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="program files") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="program files (x86)") returned -1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="microsoft") returned 1 [0261.516] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="sophos") returned -1 [0261.516] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1330 [0261.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f0 | out: hHeap=0x28d0000) returned 1 [0261.516] PathFindExtensionW (pszPath="netfx_Extended.mzz") returned=".mzz" [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".exe") returned 1 [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".log") returned 1 [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".cab") returned 1 [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".cmd") returned 1 [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".com") returned 1 [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".cpl") returned 1 [0261.516] lstrcmpiW (lpString1=".mzz", lpString2=".ini") returned 1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".dll") returned 1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".url") returned -1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".ttf") returned -1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".mp3") returned 1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".pif") returned -1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".mp4") returned 1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".NEFILIM") returned -1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".msi") returned 1 [0261.517] lstrcmpiW (lpString1=".mzz", lpString2=".lnk") returned 1 [0261.517] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0261.517] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1398 [0261.517] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0261.698] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=43131591) returned 1 [0261.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1400 [0261.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1418 [0261.698] SystemFunction036 (in: RandomBuffer=0x28d1400, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1400) returned 1 [0261.698] SystemFunction036 (in: RandomBuffer=0x28d1418, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1418) returned 1 [0261.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1430 [0261.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0261.723] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1430*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1430*, pdwDataLen=0x26ef248*=0x100) returned 1 [0261.727] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0261.815] GetTickCount () returned 0x1181b36 [0261.815] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0261.816] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0261.816] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29222c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0261.839] SetLastError (dwErrCode=0x0) [0261.866] WriteFile (in: hFile=0x260, lpBuffer=0x28d1430*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1430*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0262.284] GetLastError () returned 0x0 [0262.284] GetLastError () returned 0x0 [0262.284] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29223c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0262.284] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0262.284] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29224c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0262.304] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc2aa6ace, dwHighDateTime=0x1d5fd73)) [0262.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0262.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0262.419] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0262.419] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x927c0) returned 0x2d29020 [0262.421] GetCurrentProcess () returned 0xffffffff [0262.421] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0262.469] ReadFile (in: hFile=0x260, lpBuffer=0x2d29020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2d29020*, lpNumberOfBytesRead=0x26ef2ac*=0x927c0, lpOverlapped=0x0) returned 1 [0262.753] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0262.754] WriteFile (in: hFile=0x260, lpBuffer=0x2d29020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d29020*, lpNumberOfBytesWritten=0x26ef2a0*=0x927c0, lpOverlapped=0x0) returned 1 [0262.757] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d29020 | out: hHeap=0x28d0000) returned 1 [0262.760] CloseHandle (hObject=0x260) returned 1 [0263.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1430 | out: hHeap=0x28d0000) returned 1 [0263.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1400 | out: hHeap=0x28d0000) returned 1 [0263.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1418 | out: hHeap=0x28d0000) returned 1 [0263.280] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1400 [0263.280] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.nefilim")) returned 1 [0263.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1400 | out: hHeap=0x28d0000) returned 1 [0263.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0263.281] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2=".") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="..") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="...") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="windows") returned -1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="rsa") returned -1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="NTDETECT.COM") returned -1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="ntldr") returned -1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="MSDOS.SYS") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="IO.SYS") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="boot.ini") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="ntuser.dat") returned -1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="desktop.ini") returned 1 [0263.281] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="CONFIG.SYS") returned 1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="RECYCLER") returned -1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="bootmgr") returned 1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="programdata") returned -1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="appdata") returned 1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="program files") returned -1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="program files (x86)") returned -1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="microsoft") returned 1 [0263.282] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="sophos") returned -1 [0263.282] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1398 [0263.282] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.282] PathFindExtensionW (pszPath="netfx_Extended_x64.msi") returned=".msi" [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0263.282] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0263.282] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2=".") returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="..") returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="...") returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="windows") returned -1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="rsa") returned -1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="NTDETECT.COM") returned -1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="ntldr") returned -1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="MSDOS.SYS") returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="IO.SYS") returned 1 [0263.283] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="boot.ini") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="ntuser.dat") returned -1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="desktop.ini") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="CONFIG.SYS") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="RECYCLER") returned -1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="bootmgr") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="programdata") returned -1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="appdata") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="program files") returned -1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="program files (x86)") returned -1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="microsoft") returned 1 [0263.284] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="sophos") returned -1 [0263.284] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1330 [0263.284] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0263.284] PathFindExtensionW (pszPath="netfx_Extended_x86.msi") returned=".msi" [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0263.284] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0263.284] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0263.284] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2=".") returned 1 [0263.284] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="..") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="...") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="windows") returned -1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="rsa") returned -1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="NTDETECT.COM") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="ntldr") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="MSDOS.SYS") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="IO.SYS") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="boot.ini") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="ntuser.dat") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="desktop.ini") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="CONFIG.SYS") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="RECYCLER") returned -1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="bootmgr") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="programdata") returned -1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="appdata") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="program files") returned -1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="program files (x86)") returned -1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="microsoft") returned 1 [0263.285] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="sophos") returned -1 [0263.285] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1398 [0263.285] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.285] PathFindExtensionW (pszPath="ParameterInfo.xml") returned=".xml" [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0263.285] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0263.286] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0263.286] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0263.286] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0263.286] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0263.286] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0263.286] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0263.286] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.286] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.286] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.287] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=272046) returned 1 [0263.287] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f0 [0263.287] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1408 [0263.287] SystemFunction036 (in: RandomBuffer=0x28d13f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f0) returned 1 [0263.287] SystemFunction036 (in: RandomBuffer=0x28d1408, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1408) returned 1 [0263.287] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1420 [0263.287] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.287] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1420*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1420*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.290] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.292] GetTickCount () returned 0x11820f3 [0263.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0263.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.292] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x426ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.292] SetLastError (dwErrCode=0x0) [0263.292] WriteFile (in: hFile=0x260, lpBuffer=0x28d1420*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1420*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.295] GetLastError () returned 0x0 [0263.295] GetLastError () returned 0x0 [0263.295] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x427ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.295] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.295] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x428ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.295] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc340b320, dwHighDateTime=0x1d5fd73)) [0263.295] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0263.295] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.295] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.295] GetProcessHeap () returned 0xa10000 [0263.295] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x426ae) returned 0xa3b688 [0263.320] GetSystemDefaultLangID () returned 0xa20409 [0263.320] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.320] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x426ae, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x426ae, lpOverlapped=0x0) returned 1 [0263.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.368] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x426ae, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x426ae, lpOverlapped=0x0) returned 1 [0263.369] GetProcessHeap () returned 0xa10000 [0263.394] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0263.394] CloseHandle (hObject=0x260) returned 1 [0263.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1420 | out: hHeap=0x28d0000) returned 1 [0263.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f0 | out: hHeap=0x28d0000) returned 1 [0263.404] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1408 | out: hHeap=0x28d0000) returned 1 [0263.404] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13f0 [0263.404] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.nefilim")) returned 1 [0263.404] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f0 | out: hHeap=0x28d0000) returned 1 [0263.404] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.404] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2=".") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="..") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="...") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="windows") returned -1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="rsa") returned -1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="NTDETECT.COM") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="ntldr") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="MSDOS.SYS") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="IO.SYS") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="boot.ini") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="ntuser.dat") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="desktop.ini") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="CONFIG.SYS") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="RECYCLER") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="bootmgr") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="programdata") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="appdata") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="program files") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="program files (x86)") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="microsoft") returned 1 [0263.405] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="sophos") returned -1 [0263.405] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.405] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1398 | out: hHeap=0x28d0000) returned 1 [0263.405] PathFindExtensionW (pszPath="RGB9RAST_x64.msi") returned=".msi" [0263.405] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0263.405] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0263.406] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0263.406] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2=".") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="..") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="...") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="windows") returned -1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="rsa") returned -1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="NTDETECT.COM") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="ntldr") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="MSDOS.SYS") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="IO.SYS") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="boot.ini") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="ntuser.dat") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="desktop.ini") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="CONFIG.SYS") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="RECYCLER") returned 1 [0263.406] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="bootmgr") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="programdata") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="appdata") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="program files") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="program files (x86)") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="microsoft") returned 1 [0263.407] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="sophos") returned -1 [0263.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.407] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.407] PathFindExtensionW (pszPath="RGB9Rast_x86.msi") returned=".msi" [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0263.407] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0263.407] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2=".") returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="..") returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="...") returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="windows") returned -1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="$RECYCLE.BIN") returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="rsa") returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="NTDETECT.COM") returned 1 [0263.407] lstrcmpiW (lpString1="Setup.exe", lpString2="ntldr") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="MSDOS.SYS") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="IO.SYS") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="boot.ini") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="AUTOEXEC.BAT") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="ntuser.dat") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="desktop.ini") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="CONFIG.SYS") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="RECYCLER") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="BOOTSECT.BAK") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="bootmgr") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="programdata") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="appdata") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="program files") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="program files (x86)") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="microsoft") returned 1 [0263.408] lstrcmpiW (lpString1="Setup.exe", lpString2="sophos") returned -1 [0263.408] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0263.408] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.408] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0263.408] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0263.408] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2=".") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="..") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="...") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="windows") returned -1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="$RECYCLE.BIN") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="rsa") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="NTDETECT.COM") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="ntldr") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="MSDOS.SYS") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="IO.SYS") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="boot.ini") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="AUTOEXEC.BAT") returned 1 [0263.408] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="ntuser.dat") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="desktop.ini") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="CONFIG.SYS") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="RECYCLER") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="BOOTSECT.BAK") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="bootmgr") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="programdata") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="appdata") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="program files") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="program files (x86)") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="microsoft") returned 1 [0263.409] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="sophos") returned -1 [0263.409] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1378 [0263.409] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.409] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0263.409] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0263.409] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2=".") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="..") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="...") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="windows") returned -1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="$RECYCLE.BIN") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="rsa") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="NTDETECT.COM") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="ntldr") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="MSDOS.SYS") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="IO.SYS") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="boot.ini") returned 1 [0263.409] lstrcmpiW (lpString1="SetupUi.dll", lpString2="AUTOEXEC.BAT") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="ntuser.dat") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="desktop.ini") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="CONFIG.SYS") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="RECYCLER") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="BOOTSECT.BAK") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="bootmgr") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="programdata") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="appdata") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="program files") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="program files (x86)") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="microsoft") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.dll", lpString2="sophos") returned -1 [0263.410] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d13d0 [0263.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1378 | out: hHeap=0x28d0000) returned 1 [0263.410] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0263.410] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0263.410] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.xsd", lpString2=".") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="..") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="...") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="windows") returned -1 [0263.410] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="$RECYCLE.BIN") returned 1 [0263.410] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="rsa") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="NTDETECT.COM") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="ntldr") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="MSDOS.SYS") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="IO.SYS") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="boot.ini") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="AUTOEXEC.BAT") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="ntuser.dat") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="desktop.ini") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="CONFIG.SYS") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="RECYCLER") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="BOOTSECT.BAK") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="bootmgr") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="programdata") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="appdata") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="program files") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="program files (x86)") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="microsoft") returned 1 [0263.411] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="sophos") returned -1 [0263.411] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.411] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13d0 | out: hHeap=0x28d0000) returned 1 [0263.411] PathFindExtensionW (pszPath="SetupUi.xsd") returned=".xsd" [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".exe") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".log") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".cab") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".cmd") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".com") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".cpl") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".ini") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".dll") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".url") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".ttf") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".mp3") returned 1 [0263.411] lstrcmpiW (lpString1=".xsd", lpString2=".pif") returned 1 [0263.570] lstrcmpiW (lpString1=".xsd", lpString2=".mp4") returned 1 [0263.570] lstrcmpiW (lpString1=".xsd", lpString2=".NEFILIM") returned 1 [0263.570] lstrcmpiW (lpString1=".xsd", lpString2=".msi") returned 1 [0263.570] lstrcmpiW (lpString1=".xsd", lpString2=".lnk") returned 1 [0263.570] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.570] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.570] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=30120) returned 1 [0263.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13e0 [0263.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f8 [0263.571] SystemFunction036 (in: RandomBuffer=0x28d13e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13e0) returned 1 [0263.571] SystemFunction036 (in: RandomBuffer=0x28d13f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f8) returned 1 [0263.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1410 [0263.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.571] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.573] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.576] GetTickCount () returned 0x118220c [0263.576] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0263.576] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.576] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x75a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.576] SetLastError (dwErrCode=0x0) [0263.576] WriteFile (in: hFile=0x260, lpBuffer=0x28d1410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1410*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.579] GetLastError () returned 0x0 [0263.579] GetLastError () returned 0x0 [0263.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.579] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.579] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc36b9f4a, dwHighDateTime=0x1d5fd73)) [0263.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0263.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.579] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.580] GetProcessHeap () returned 0xa10000 [0263.580] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x75a8) returned 0xa3b688 [0263.581] GetSystemDefaultLangID () returned 0xa20409 [0263.581] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.581] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x75a8, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x75a8, lpOverlapped=0x0) returned 1 [0263.584] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.584] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x75a8, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x75a8, lpOverlapped=0x0) returned 1 [0263.585] GetProcessHeap () returned 0xa10000 [0263.585] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0263.585] CloseHandle (hObject=0x260) returned 1 [0263.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1410 | out: hHeap=0x28d0000) returned 1 [0263.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f8 | out: hHeap=0x28d0000) returned 1 [0263.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0263.587] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.nefilim")) returned 1 [0263.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.588] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2=".") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="..") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="...") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="windows") returned -1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="$RECYCLE.BIN") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="rsa") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="NTDETECT.COM") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="ntldr") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="MSDOS.SYS") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="IO.SYS") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="boot.ini") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="AUTOEXEC.BAT") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="ntuser.dat") returned 1 [0263.588] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="desktop.ini") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="CONFIG.SYS") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="RECYCLER") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="BOOTSECT.BAK") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="bootmgr") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="programdata") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="appdata") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="program files") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="program files (x86)") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="microsoft") returned 1 [0263.589] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="sophos") returned -1 [0263.589] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.589] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0263.589] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0263.589] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2=".") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="..") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="...") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="windows") returned -1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="$RECYCLE.BIN") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="rsa") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="NTDETECT.COM") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="ntldr") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="MSDOS.SYS") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="IO.SYS") returned 1 [0263.589] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="boot.ini") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="ntuser.dat") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="desktop.ini") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="CONFIG.SYS") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="RECYCLER") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="BOOTSECT.BAK") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="bootmgr") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="programdata") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="appdata") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="program files") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="program files (x86)") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="microsoft") returned 1 [0263.590] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="sophos") returned 1 [0263.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.590] PathFindExtensionW (pszPath="SplashScreen.bmp") returned=".bmp" [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0263.590] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0263.591] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0263.591] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0263.591] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0263.591] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0263.591] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0263.591] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0263.591] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.591] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.591] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=41080) returned 1 [0263.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13e0 [0263.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f8 [0263.591] SystemFunction036 (in: RandomBuffer=0x28d13e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13e0) returned 1 [0263.591] SystemFunction036 (in: RandomBuffer=0x28d13f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f8) returned 1 [0263.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1410 [0263.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.591] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.593] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.596] GetTickCount () returned 0x118221c [0263.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0263.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa078, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.596] SetLastError (dwErrCode=0x0) [0263.596] WriteFile (in: hFile=0x260, lpBuffer=0x28d1410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1410*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.598] GetLastError () returned 0x0 [0263.598] GetLastError () returned 0x0 [0263.598] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa178, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.598] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.599] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa278, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.599] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc36e017b, dwHighDateTime=0x1d5fd73)) [0263.599] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0263.599] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.599] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.599] GetProcessHeap () returned 0xa10000 [0263.599] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa078) returned 0xa3b688 [0263.601] GetSystemDefaultLangID () returned 0xa20409 [0263.601] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.601] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0xa078, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0xa078, lpOverlapped=0x0) returned 1 [0263.604] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.604] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0xa078, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0xa078, lpOverlapped=0x0) returned 1 [0263.605] GetProcessHeap () returned 0xa10000 [0263.605] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0263.605] CloseHandle (hObject=0x260) returned 1 [0263.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1410 | out: hHeap=0x28d0000) returned 1 [0263.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f8 | out: hHeap=0x28d0000) returned 1 [0263.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0263.609] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.nefilim")) returned 1 [0263.610] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.610] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.610] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0263.610] lstrcmpiW (lpString1="sqmapi.dll", lpString2=".") returned 1 [0263.610] lstrcmpiW (lpString1="sqmapi.dll", lpString2="..") returned 1 [0263.610] lstrcmpiW (lpString1="sqmapi.dll", lpString2="...") returned 1 [0263.610] lstrcmpiW (lpString1="sqmapi.dll", lpString2="windows") returned -1 [0263.610] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="rsa") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="NTDETECT.COM") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="ntldr") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="MSDOS.SYS") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="IO.SYS") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="boot.ini") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="AUTOEXEC.BAT") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="ntuser.dat") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="desktop.ini") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="CONFIG.SYS") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="RECYCLER") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="BOOTSECT.BAK") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="bootmgr") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="programdata") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="appdata") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="program files") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="program files (x86)") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="microsoft") returned 1 [0263.611] lstrcmpiW (lpString1="sqmapi.dll", lpString2="sophos") returned 1 [0263.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.611] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.611] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0263.611] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0263.611] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0263.611] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0263.612] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0263.612] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0263.612] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0263.612] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0263.612] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0263.612] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2=".") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="..") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="...") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="windows") returned -1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="$RECYCLE.BIN") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="rsa") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="NTDETECT.COM") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="ntldr") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="MSDOS.SYS") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="IO.SYS") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="boot.ini") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="AUTOEXEC.BAT") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="ntuser.dat") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="desktop.ini") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="CONFIG.SYS") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="RECYCLER") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="BOOTSECT.BAK") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="bootmgr") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="programdata") returned 1 [0263.612] lstrcmpiW (lpString1="Strings.xml", lpString2="appdata") returned 1 [0263.613] lstrcmpiW (lpString1="Strings.xml", lpString2="program files") returned 1 [0263.613] lstrcmpiW (lpString1="Strings.xml", lpString2="program files (x86)") returned 1 [0263.613] lstrcmpiW (lpString1="Strings.xml", lpString2="microsoft") returned 1 [0263.613] lstrcmpiW (lpString1="Strings.xml", lpString2="sophos") returned 1 [0263.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.613] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.613] PathFindExtensionW (pszPath="Strings.xml") returned=".xml" [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0263.613] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0263.613] lstrcmpiW (lpString1="Strings.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.613] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.614] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=14084) returned 1 [0263.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13e0 [0263.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f8 [0263.614] SystemFunction036 (in: RandomBuffer=0x28d13e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13e0) returned 1 [0263.614] SystemFunction036 (in: RandomBuffer=0x28d13f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f8) returned 1 [0263.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1410 [0263.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.614] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.619] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.622] GetTickCount () returned 0x118223b [0263.622] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0263.622] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3704, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.622] SetLastError (dwErrCode=0x0) [0263.622] WriteFile (in: hFile=0x260, lpBuffer=0x28d1410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1410*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.625] GetLastError () returned 0x0 [0263.625] GetLastError () returned 0x0 [0263.625] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3804, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.625] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.625] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3904, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.625] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc372e106, dwHighDateTime=0x1d5fd73)) [0263.625] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0263.625] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.625] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.625] GetProcessHeap () returned 0xa10000 [0263.625] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3704) returned 0xa3b688 [0263.627] GetSystemDefaultLangID () returned 0xa20409 [0263.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.627] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x3704, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x3704, lpOverlapped=0x0) returned 1 [0263.629] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.629] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x3704, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x3704, lpOverlapped=0x0) returned 1 [0263.629] GetProcessHeap () returned 0xa10000 [0263.629] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0263.629] CloseHandle (hObject=0x260) returned 1 [0263.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1410 | out: hHeap=0x28d0000) returned 1 [0263.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f8 | out: hHeap=0x28d0000) returned 1 [0263.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0263.632] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Strings.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\strings.xml.nefilim")) returned 1 [0263.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.633] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2="rsa") returned 1 [0263.633] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NTDETECT.COM") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntldr") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="MSDOS.SYS") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="IO.SYS") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="boot.ini") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntuser.dat") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="desktop.ini") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="CONFIG.SYS") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="RECYCLER") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="bootmgr") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="programdata") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="appdata") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files (x86)") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="microsoft") returned 1 [0263.634] lstrcmpiW (lpString1="UiInfo.xml", lpString2="sophos") returned 1 [0263.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.634] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0263.634] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0263.634] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0263.635] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0263.635] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.635] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.636] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=38898) returned 1 [0263.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13e0 [0263.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f8 [0263.636] SystemFunction036 (in: RandomBuffer=0x28d13e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13e0) returned 1 [0263.636] SystemFunction036 (in: RandomBuffer=0x28d13f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f8) returned 1 [0263.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1410 [0263.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.636] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.638] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.640] GetTickCount () returned 0x118224b [0263.640] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0263.640] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.640] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.640] SetLastError (dwErrCode=0x0) [0263.640] WriteFile (in: hFile=0x260, lpBuffer=0x28d1410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1410*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.642] GetLastError () returned 0x0 [0263.642] GetLastError () returned 0x0 [0263.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x98f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.642] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x99f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.642] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc3754653, dwHighDateTime=0x1d5fd73)) [0263.642] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0263.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.643] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.643] GetProcessHeap () returned 0xa10000 [0263.643] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x97f2) returned 0xa3b688 [0263.644] GetSystemDefaultLangID () returned 0xa20409 [0263.644] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.644] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x97f2, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x97f2, lpOverlapped=0x0) returned 1 [0263.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.652] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x97f2, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x97f2, lpOverlapped=0x0) returned 1 [0263.652] GetProcessHeap () returned 0xa10000 [0263.652] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0263.652] CloseHandle (hObject=0x260) returned 1 [0263.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1410 | out: hHeap=0x28d0000) returned 1 [0263.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f8 | out: hHeap=0x28d0000) returned 1 [0263.655] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0263.655] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\UiInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.nefilim")) returned 1 [0263.656] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.656] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.656] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0263.656] lstrcmpiW (lpString1="watermark.bmp", lpString2=".") returned 1 [0263.656] lstrcmpiW (lpString1="watermark.bmp", lpString2="..") returned 1 [0263.656] lstrcmpiW (lpString1="watermark.bmp", lpString2="...") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="windows") returned -1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="$RECYCLE.BIN") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="rsa") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="NTDETECT.COM") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="ntldr") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="MSDOS.SYS") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="IO.SYS") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="boot.ini") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="ntuser.dat") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="desktop.ini") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="CONFIG.SYS") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="RECYCLER") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="BOOTSECT.BAK") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="bootmgr") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="programdata") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="appdata") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="program files") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="program files (x86)") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="microsoft") returned 1 [0263.657] lstrcmpiW (lpString1="watermark.bmp", lpString2="sophos") returned 1 [0263.657] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1330 [0263.657] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.657] PathFindExtensionW (pszPath="watermark.bmp") returned=".bmp" [0263.657] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0263.657] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0263.657] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0263.658] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0263.658] lstrcmpiW (lpString1="watermark.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.658] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1388 [0263.658] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.658] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=104072) returned 1 [0263.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13e0 [0263.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d13f8 [0263.659] SystemFunction036 (in: RandomBuffer=0x28d13e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13e0) returned 1 [0263.659] SystemFunction036 (in: RandomBuffer=0x28d13f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d13f8) returned 1 [0263.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1410 [0263.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.659] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1410*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.660] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.667] GetTickCount () returned 0x118226a [0263.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0263.667] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.667] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19688, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.667] SetLastError (dwErrCode=0x0) [0263.667] WriteFile (in: hFile=0x260, lpBuffer=0x28d1410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1410*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.671] GetLastError () returned 0x0 [0263.671] GetLastError () returned 0x0 [0263.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19788, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.671] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19888, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.671] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc379ed3b, dwHighDateTime=0x1d5fd73)) [0263.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0263.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.671] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.671] GetProcessHeap () returned 0xa10000 [0263.671] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x19688) returned 0xa3b688 [0263.673] GetSystemDefaultLangID () returned 0xa20409 [0263.673] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.673] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x19688, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x19688, lpOverlapped=0x0) returned 1 [0263.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.683] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x19688, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x19688, lpOverlapped=0x0) returned 1 [0263.683] GetProcessHeap () returned 0xa10000 [0263.683] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0263.683] CloseHandle (hObject=0x260) returned 1 [0263.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1410 | out: hHeap=0x28d0000) returned 1 [0263.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13f8 | out: hHeap=0x28d0000) returned 1 [0263.687] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d13e0 [0263.687] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\watermark.bmp.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.nefilim")) returned 1 [0263.688] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13e0 | out: hHeap=0x28d0000) returned 1 [0263.688] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.688] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2=".") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="..") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="...") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="windows") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="rsa") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="NTDETECT.COM") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="ntldr") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="MSDOS.SYS") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="IO.SYS") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="boot.ini") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="AUTOEXEC.BAT") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="ntuser.dat") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="desktop.ini") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="CONFIG.SYS") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="RECYCLER") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="BOOTSECT.BAK") returned 1 [0263.688] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="bootmgr") returned 1 [0263.689] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="programdata") returned 1 [0263.689] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="appdata") returned 1 [0263.689] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="program files") returned 1 [0263.689] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="program files (x86)") returned 1 [0263.689] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="microsoft") returned 1 [0263.689] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="sophos") returned 1 [0263.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1388 [0263.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.689] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0263.689] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0263.690] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.690] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1400 [0263.690] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.691] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=5198099) returned 1 [0263.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1330 [0263.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1348 [0263.691] SystemFunction036 (in: RandomBuffer=0x28d1330, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1330) returned 1 [0263.691] SystemFunction036 (in: RandomBuffer=0x28d1348, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1348) returned 1 [0263.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0263.691] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.693] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.696] GetTickCount () returned 0x1182289 [0263.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1478 [0263.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0263.696] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f5113, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.696] SetLastError (dwErrCode=0x0) [0263.696] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.698] GetLastError () returned 0x0 [0263.698] GetLastError () returned 0x0 [0263.698] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f5213, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.699] WriteFile (in: hFile=0x260, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0263.699] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f5313, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.699] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc37eb37e, dwHighDateTime=0x1d5fd73)) [0263.699] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1478 [0263.699] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0263.699] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0263.699] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x927c0) returned 0x2d2c020 [0263.701] GetCurrentProcess () returned 0xffffffff [0263.701] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.701] ReadFile (in: hFile=0x260, lpBuffer=0x2d2c020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2d2c020*, lpNumberOfBytesRead=0x26ef2ac*=0x927c0, lpOverlapped=0x0) returned 1 [0263.765] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.765] WriteFile (in: hFile=0x260, lpBuffer=0x2d2c020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d2c020*, lpNumberOfBytesWritten=0x26ef2a0*=0x927c0, lpOverlapped=0x0) returned 1 [0263.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d2c020 | out: hHeap=0x28d0000) returned 1 [0263.771] CloseHandle (hObject=0x260) returned 1 [0263.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0263.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0263.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1348 | out: hHeap=0x28d0000) returned 1 [0263.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1478 [0263.992] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.nefilim")) returned 1 [0263.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0263.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1400 | out: hHeap=0x28d0000) returned 1 [0263.993] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2=".") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="..") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="...") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="windows") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="rsa") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="NTDETECT.COM") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="ntldr") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="MSDOS.SYS") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="IO.SYS") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="boot.ini") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="AUTOEXEC.BAT") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="ntuser.dat") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="desktop.ini") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="CONFIG.SYS") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="RECYCLER") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="BOOTSECT.BAK") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="bootmgr") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="programdata") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="appdata") returned 1 [0263.993] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="program files") returned 1 [0263.994] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="program files (x86)") returned 1 [0263.994] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="microsoft") returned 1 [0263.994] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="sophos") returned 1 [0263.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1400 [0263.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1388 | out: hHeap=0x28d0000) returned 1 [0263.994] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0263.994] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0263.994] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0263.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1478 [0263.994] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0263.995] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=2192672) returned 1 [0263.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0263.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1508 [0263.995] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0263.995] SystemFunction036 (in: RandomBuffer=0x28d1508, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1508) returned 1 [0263.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0263.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0263.995] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0263.997] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0263.999] GetTickCount () returned 0x11823b2 [0263.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1330 [0263.999] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0263.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x217520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0263.999] SetLastError (dwErrCode=0x0) [0263.999] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0264.002] GetLastError () returned 0x0 [0264.002] GetLastError () returned 0x0 [0264.002] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x217620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.002] WriteFile (in: hFile=0x260, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0264.002] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x217720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.002] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc3abfee9, dwHighDateTime=0x1d5fd73)) [0264.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1330 [0264.002] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0264.002] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0264.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x927c0) returned 0x2d26020 [0264.004] GetCurrentProcess () returned 0xffffffff [0264.004] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.004] ReadFile (in: hFile=0x260, lpBuffer=0x2d26020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2d26020*, lpNumberOfBytesRead=0x26ef2ac*=0x927c0, lpOverlapped=0x0) returned 1 [0264.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.059] WriteFile (in: hFile=0x260, lpBuffer=0x2d26020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d26020*, lpNumberOfBytesWritten=0x26ef2a0*=0x927c0, lpOverlapped=0x0) returned 1 [0264.061] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d26020 | out: hHeap=0x28d0000) returned 1 [0264.064] CloseHandle (hObject=0x260) returned 1 [0264.138] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0264.138] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0264.138] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0264.138] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0264.139] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1330 [0264.139] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.nefilim")) returned 1 [0264.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0264.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0264.139] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0264.139] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2=".") returned 1 [0264.139] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="..") returned 1 [0264.139] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="...") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="windows") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="rsa") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="NTDETECT.COM") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="ntldr") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="MSDOS.SYS") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="IO.SYS") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="boot.ini") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="AUTOEXEC.BAT") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="ntuser.dat") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="desktop.ini") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="CONFIG.SYS") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="RECYCLER") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="BOOTSECT.BAK") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="bootmgr") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="programdata") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="appdata") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="program files") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="program files (x86)") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="microsoft") returned 1 [0264.140] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="sophos") returned 1 [0264.140] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1478 [0264.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1400 | out: hHeap=0x28d0000) returned 1 [0264.140] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0264.140] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0264.141] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0264.141] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0264.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1330 [0264.141] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0264.141] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=5091790) returned 1 [0264.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14f0 [0264.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1508 [0264.141] SystemFunction036 (in: RandomBuffer=0x28d14f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14f0) returned 1 [0264.141] SystemFunction036 (in: RandomBuffer=0x28d1508, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1508) returned 1 [0264.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0264.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0264.141] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0264.143] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0264.145] GetTickCount () returned 0x118244f [0264.145] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d13a8 [0264.146] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13a8 | out: hHeap=0x28d0000) returned 1 [0264.146] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db1ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.146] SetLastError (dwErrCode=0x0) [0264.146] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0264.157] GetLastError () returned 0x0 [0264.157] GetLastError () returned 0x0 [0264.157] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db2ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.157] WriteFile (in: hFile=0x260, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0264.157] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db3ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.157] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc3c3d5ca, dwHighDateTime=0x1d5fd73)) [0264.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d13a8 [0264.157] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13a8 | out: hHeap=0x28d0000) returned 1 [0264.157] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0264.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x927c0) returned 0x2d29020 [0264.160] GetCurrentProcess () returned 0xffffffff [0264.160] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.160] ReadFile (in: hFile=0x260, lpBuffer=0x2d29020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2d29020*, lpNumberOfBytesRead=0x26ef2ac*=0x927c0, lpOverlapped=0x0) returned 1 [0264.270] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0264.270] WriteFile (in: hFile=0x260, lpBuffer=0x2d29020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d29020*, lpNumberOfBytesWritten=0x26ef2a0*=0x927c0, lpOverlapped=0x0) returned 1 [0264.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d29020 | out: hHeap=0x28d0000) returned 1 [0264.313] CloseHandle (hObject=0x260) returned 1 [0265.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0265.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0265.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14f0 | out: hHeap=0x28d0000) returned 1 [0265.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1508 | out: hHeap=0x28d0000) returned 1 [0265.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d13a8 [0265.262] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.nefilim")) returned 1 [0265.263] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13a8 | out: hHeap=0x28d0000) returned 1 [0265.263] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0265.263] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2=".") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="..") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="...") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="windows") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="rsa") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="NTDETECT.COM") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="ntldr") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="MSDOS.SYS") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="IO.SYS") returned 1 [0265.263] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="boot.ini") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="AUTOEXEC.BAT") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="ntuser.dat") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="desktop.ini") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="CONFIG.SYS") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="RECYCLER") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="BOOTSECT.BAK") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="bootmgr") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="programdata") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="appdata") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="program files") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="program files (x86)") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="microsoft") returned 1 [0265.264] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="sophos") returned 1 [0265.264] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1330 [0265.264] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0265.264] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0265.264] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0265.265] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0265.265] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0265.265] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0265.265] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0265.265] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0265.265] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0265.265] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0265.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d13a8 [0265.265] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0265.265] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=2141433) returned 1 [0265.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1420 [0265.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1438 [0265.265] SystemFunction036 (in: RandomBuffer=0x28d1420, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1420) returned 1 [0265.265] SystemFunction036 (in: RandomBuffer=0x28d1438, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1438) returned 1 [0265.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0265.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0265.265] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0265.268] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0265.271] GetTickCount () returned 0x11828b4 [0265.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1450 [0265.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0265.271] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20acf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0265.272] SetLastError (dwErrCode=0x0) [0265.272] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fd0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0267.367] GetLastError () returned 0x0 [0267.448] GetLastError () returned 0x0 [0267.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20adf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0267.563] WriteFile (in: hFile=0x260, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0267.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20aef9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0267.720] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc5e43243, dwHighDateTime=0x1d5fd73)) [0267.745] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1450 [0267.772] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1450 | out: hHeap=0x28d0000) returned 1 [0267.772] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0267.772] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x927c0) returned 0x2d27020 [0267.796] GetCurrentProcess () returned 0xffffffff [0267.796] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0267.876] ReadFile (in: hFile=0x260, lpBuffer=0x2d27020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2d27020*, lpNumberOfBytesRead=0x26ef2ac*=0x927c0, lpOverlapped=0x0) returned 1 [0267.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0267.995] WriteFile (in: hFile=0x260, lpBuffer=0x2d27020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d27020*, lpNumberOfBytesWritten=0x26ef2a0*=0x927c0, lpOverlapped=0x0) returned 1 [0267.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d27020 | out: hHeap=0x28d0000) returned 1 [0268.001] CloseHandle (hObject=0x260) returned 1 [0268.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1fd0 | out: hHeap=0x28d0000) returned 1 [0268.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1420 | out: hHeap=0x28d0000) returned 1 [0268.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1438 | out: hHeap=0x28d0000) returned 1 [0268.176] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1420 [0268.205] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.nefilim")) returned 1 [0268.207] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1420 | out: hHeap=0x28d0000) returned 1 [0268.207] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d13a8 | out: hHeap=0x28d0000) returned 1 [0268.226] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x28d12f8, dwReserved1=0x7000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0268.264] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0268.265] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1330 | out: hHeap=0x28d0000) returned 1 [0268.265] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0268.265] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0268.265] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="...") returned 1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="$RECYCLE.BIN") returned 1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="rsa") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="NTDETECT.COM") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="ntldr") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="MSDOS.SYS") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="IO.SYS") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="boot.ini") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="AUTOEXEC.BAT") returned 1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="ntuser.dat") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="desktop.ini") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="CONFIG.SYS") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="RECYCLER") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="BOOTSECT.BAK") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="bootmgr") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="programdata") returned -1 [0268.265] lstrcmpiW (lpString1="Boot", lpString2="appdata") returned 1 [0268.266] lstrcmpiW (lpString1="Boot", lpString2="program files") returned -1 [0268.266] lstrcmpiW (lpString1="Boot", lpString2="program files (x86)") returned -1 [0268.266] lstrcmpiW (lpString1="Boot", lpString2="microsoft") returned -1 [0268.266] lstrcmpiW (lpString1="Boot", lpString2="sophos") returned -1 [0268.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1278 [0268.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f8 | out: hHeap=0x28d0000) returned 1 [0268.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12a0 [0268.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12c8 [0268.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.345] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName=".", cAlternateFileName="")) returned 0xa2f760 [0268.346] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.346] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="..", cAlternateFileName="")) returned 1 [0268.349] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.349] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.349] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x6d72d3cf, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6d72d3cf, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="BCD", cAlternateFileName="")) returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2=".") returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="..") returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="...") returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="windows") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="$RECYCLE.BIN") returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="rsa") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="NTDETECT.COM") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="ntldr") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="MSDOS.SYS") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="IO.SYS") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="boot.ini") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="AUTOEXEC.BAT") returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="ntuser.dat") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="desktop.ini") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="CONFIG.SYS") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="RECYCLER") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="BOOTSECT.BAK") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="bootmgr") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="programdata") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="appdata") returned 1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="program files") returned -1 [0268.349] lstrcmpiW (lpString1="BCD", lpString2="program files (x86)") returned -1 [0268.350] lstrcmpiW (lpString1="BCD", lpString2="microsoft") returned -1 [0268.350] lstrcmpiW (lpString1="BCD", lpString2="sophos") returned -1 [0268.350] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1318 [0268.350] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.350] PathFindExtensionW (pszPath="BCD") returned="" [0268.350] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".NEFILIM") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0268.350] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0268.350] lstrcmpiW (lpString1="BCD", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.350] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.388] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.430] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=440599260887424) returned 0 [0268.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1340 [0268.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1358 [0268.430] SystemFunction036 (in: RandomBuffer=0x28d1340, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1340) returned 1 [0268.430] SystemFunction036 (in: RandomBuffer=0x28d1358, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1358) returned 1 [0268.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1370 [0268.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d1fd0 [0268.469] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1370*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d1370*, pdwDataLen=0x26ef248*=0x100) returned 1 [0268.472] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d1fd0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0268.474] GetTickCount () returned 0x1183537 [0268.474] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1478 [0268.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.474] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.575] SetLastError (dwErrCode=0x0) [0268.575] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d1370, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0) returned 0 [0268.575] GetLastError () returned 0x6 [0268.576] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.576] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2=".") returned 1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="..") returned 1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="...") returned 1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="windows") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="$RECYCLE.BIN") returned 1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="rsa") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="NTDETECT.COM") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntldr") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="MSDOS.SYS") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="IO.SYS") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="boot.ini") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="AUTOEXEC.BAT") returned 1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntuser.dat") returned -1 [0268.576] lstrcmpiW (lpString1="BCD.LOG", lpString2="desktop.ini") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="CONFIG.SYS") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="RECYCLER") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="BOOTSECT.BAK") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="bootmgr") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="programdata") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="appdata") returned 1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files (x86)") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="microsoft") returned -1 [0268.577] lstrcmpiW (lpString1="BCD.LOG", lpString2="sophos") returned -1 [0268.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1318 | out: hHeap=0x28d0000) returned 1 [0268.577] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0268.577] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0268.577] lstrcmpiW (lpString1=".LOG", lpString2=".log") returned 0 [0268.577] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0268.577] lstrcmpiW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="...") returned 1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="windows") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="rsa") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="NTDETECT.COM") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntldr") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="MSDOS.SYS") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="IO.SYS") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="boot.ini") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntuser.dat") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="desktop.ini") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="CONFIG.SYS") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="RECYCLER") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="BOOTSECT.BAK") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="bootmgr") returned -1 [0268.578] lstrcmpiW (lpString1="BCD.LOG1", lpString2="programdata") returned -1 [0268.579] lstrcmpiW (lpString1="BCD.LOG1", lpString2="appdata") returned 1 [0268.579] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files") returned -1 [0268.579] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files (x86)") returned -1 [0268.579] lstrcmpiW (lpString1="BCD.LOG1", lpString2="microsoft") returned -1 [0268.579] lstrcmpiW (lpString1="BCD.LOG1", lpString2="sophos") returned -1 [0268.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1478 [0268.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.579] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0268.579] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0268.580] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0268.580] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0268.580] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0268.580] lstrcmpiW (lpString1=".LOG1", lpString2=".NEFILIM") returned -1 [0268.580] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0268.580] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0268.580] lstrcmpiW (lpString1="BCD.LOG1", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f0 [0268.580] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0268.581] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=0) returned 1 [0268.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1328 [0268.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14b0 [0268.581] SystemFunction036 (in: RandomBuffer=0x28d1328, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1328) returned 1 [0268.581] SystemFunction036 (in: RandomBuffer=0x28d14b0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14b0) returned 1 [0268.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0268.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d21e0 [0268.581] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0268.584] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d21e0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d21e0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0268.587] GetTickCount () returned 0x11835a4 [0268.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14c8 [0268.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0268.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.587] SetLastError (dwErrCode=0x0) [0268.587] WriteFile (in: hFile=0x260, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0268.590] GetLastError () returned 0x0 [0268.590] GetLastError () returned 0x0 [0268.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.590] WriteFile (in: hFile=0x260, lpBuffer=0x28d21e0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d21e0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0268.591] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.591] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc669b76a, dwHighDateTime=0x1d5fd73)) [0268.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14c8 [0268.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0268.591] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0268.591] GetProcessHeap () returned 0xa10000 [0268.591] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x0) returned 0xa33110 [0268.615] GetSystemDefaultLangID () returned 0xa20409 [0268.615] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.666] ReadFile (in: hFile=0x260, lpBuffer=0xa33110, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa33110*, lpNumberOfBytesRead=0x26ef2ac*=0x0, lpOverlapped=0x0) returned 1 [0268.666] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.773] WriteFile (in: hFile=0x260, lpBuffer=0xa33110*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa33110*, lpNumberOfBytesWritten=0x26ef2a0*=0x0, lpOverlapped=0x0) returned 1 [0268.773] GetProcessHeap () returned 0xa10000 [0268.847] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa33110 | out: hHeap=0xa10000) returned 1 [0268.847] CloseHandle (hObject=0x260) returned 1 [0268.851] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.851] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0268.851] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1328 | out: hHeap=0x28d0000) returned 1 [0268.851] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b0 | out: hHeap=0x28d0000) returned 1 [0268.851] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b0 [0268.851] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\Boot\\BCD.LOG1.NEFILIM" (normalized: "c:\\boot\\bcd.log1.nefilim")) returned 1 [0268.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b0 | out: hHeap=0x28d0000) returned 1 [0268.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.852] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0268.852] lstrcmpiW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0268.852] lstrcmpiW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0268.852] lstrcmpiW (lpString1="BCD.LOG2", lpString2="...") returned 1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="windows") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="rsa") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="NTDETECT.COM") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntldr") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="MSDOS.SYS") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="IO.SYS") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="boot.ini") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntuser.dat") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="desktop.ini") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="CONFIG.SYS") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="RECYCLER") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="BOOTSECT.BAK") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="bootmgr") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="programdata") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="appdata") returned 1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files (x86)") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="microsoft") returned -1 [0268.853] lstrcmpiW (lpString1="BCD.LOG2", lpString2="sophos") returned -1 [0268.853] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f0 [0268.853] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.853] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0268.853] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0268.853] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".NEFILIM") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0268.854] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0268.854] lstrcmpiW (lpString1="BCD.LOG2", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.854] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1478 [0268.854] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0268.855] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=0) returned 1 [0268.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1328 [0268.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14b0 [0268.855] SystemFunction036 (in: RandomBuffer=0x28d1328, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1328) returned 1 [0268.855] SystemFunction036 (in: RandomBuffer=0x28d14b0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14b0) returned 1 [0268.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d20d8 [0268.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d21e0 [0268.855] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d20d8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d20d8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0268.858] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d21e0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d21e0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0268.860] GetTickCount () returned 0x11836ae [0268.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14c8 [0268.860] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0268.860] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.860] SetLastError (dwErrCode=0x0) [0268.860] WriteFile (in: hFile=0x260, lpBuffer=0x28d20d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d20d8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0268.862] GetLastError () returned 0x0 [0268.862] GetLastError () returned 0x0 [0268.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.862] WriteFile (in: hFile=0x260, lpBuffer=0x28d21e0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d21e0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0268.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.862] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc6924192, dwHighDateTime=0x1d5fd73)) [0268.862] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14c8 [0268.862] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14c8 | out: hHeap=0x28d0000) returned 1 [0268.862] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0268.862] GetProcessHeap () returned 0xa10000 [0268.862] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x0) returned 0xa33080 [0268.862] GetSystemDefaultLangID () returned 0xa20409 [0268.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.862] ReadFile (in: hFile=0x260, lpBuffer=0xa33080, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa33080*, lpNumberOfBytesRead=0x26ef2ac*=0x0, lpOverlapped=0x0) returned 1 [0268.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.862] WriteFile (in: hFile=0x260, lpBuffer=0xa33080*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa33080*, lpNumberOfBytesWritten=0x26ef2a0*=0x0, lpOverlapped=0x0) returned 1 [0268.862] GetProcessHeap () returned 0xa10000 [0268.862] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa33080 | out: hHeap=0xa10000) returned 1 [0268.863] CloseHandle (hObject=0x260) returned 1 [0268.866] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.866] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d21e0 | out: hHeap=0x28d0000) returned 1 [0268.866] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1328 | out: hHeap=0x28d0000) returned 1 [0268.866] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b0 | out: hHeap=0x28d0000) returned 1 [0268.866] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b0 [0268.866] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\Boot\\BCD.LOG2.NEFILIM" (normalized: "c:\\boot\\bcd.log2.nefilim")) returned 1 [0268.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b0 | out: hHeap=0x28d0000) returned 1 [0268.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.867] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2=".") returned 1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="..") returned 1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="...") returned 1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="windows") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="$RECYCLE.BIN") returned 1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="rsa") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="NTDETECT.COM") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="ntldr") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="MSDOS.SYS") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="IO.SYS") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="boot.ini") returned -1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="AUTOEXEC.BAT") returned 1 [0268.867] lstrcmpiW (lpString1="bg-BG", lpString2="ntuser.dat") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="desktop.ini") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="CONFIG.SYS") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="RECYCLER") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="BOOTSECT.BAK") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="bootmgr") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="programdata") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="appdata") returned 1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="program files") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="program files (x86)") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="microsoft") returned -1 [0268.868] lstrcmpiW (lpString1="bg-BG", lpString2="sophos") returned -1 [0268.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.868] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1318 [0268.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14a0 [0268.868] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x50, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0268.868] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.868] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x50, cFileName="..", cAlternateFileName="")) returned 1 [0268.870] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.870] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.870] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x28d1478, dwReserved1=0x50, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.870] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.871] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14d8 [0268.871] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14a0 | out: hHeap=0x28d0000) returned 1 [0268.871] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.871] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.872] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.872] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.872] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d20d8 [0268.872] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.872] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.872] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1520 [0268.872] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d14a0 [0268.872] SystemFunction036 (in: RandomBuffer=0x28d1520, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1520) returned 1 [0268.872] SystemFunction036 (in: RandomBuffer=0x28d14a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d14a0) returned 1 [0268.873] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2120 [0268.873] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2228 [0268.873] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2120*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d2120*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.873] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2228*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d2228*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.873] GetTickCount () returned 0x11836bd [0268.873] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0268.873] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.873] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.873] SetLastError (dwErrCode=0x0) [0268.873] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d2120, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.874] GetLastError () returned 0x6 [0268.874] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.874] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x28d1478, dwReserved1=0x50, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0268.874] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0268.874] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14d8 | out: hHeap=0x28d0000) returned 1 [0268.874] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1318 | out: hHeap=0x28d0000) returned 1 [0268.874] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.874] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2=".") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="..") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="...") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="windows") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="$RECYCLE.BIN") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="rsa") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="NTDETECT.COM") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="ntldr") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="MSDOS.SYS") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="IO.SYS") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="boot.ini") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="AUTOEXEC.BAT") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="ntuser.dat") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="desktop.ini") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="CONFIG.SYS") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="RECYCLER") returned -1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="BOOTSECT.BAK") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="bootmgr") returned 1 [0268.874] lstrcmpiW (lpString1="bootspaces.dll", lpString2="programdata") returned -1 [0268.875] lstrcmpiW (lpString1="bootspaces.dll", lpString2="appdata") returned 1 [0268.875] lstrcmpiW (lpString1="bootspaces.dll", lpString2="program files") returned -1 [0268.875] lstrcmpiW (lpString1="bootspaces.dll", lpString2="program files (x86)") returned -1 [0268.875] lstrcmpiW (lpString1="bootspaces.dll", lpString2="microsoft") returned -1 [0268.875] lstrcmpiW (lpString1="bootspaces.dll", lpString2="sophos") returned -1 [0268.875] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0268.875] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.875] PathFindExtensionW (pszPath="bootspaces.dll") returned=".dll" [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0268.875] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0268.875] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="...") returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="windows") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$RECYCLE.BIN") returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="rsa") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="NTDETECT.COM") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntldr") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="MSDOS.SYS") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="IO.SYS") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="boot.ini") returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntuser.dat") returned -1 [0268.875] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="desktop.ini") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="CONFIG.SYS") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="RECYCLER") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="BOOTSECT.BAK") returned 1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="bootmgr") returned 1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="programdata") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="appdata") returned 1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files (x86)") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="microsoft") returned -1 [0268.876] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="sophos") returned -1 [0268.876] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12f0 [0268.876] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.876] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".exe") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".log") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".cab") returned 1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".cmd") returned 1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".com") returned 1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".cpl") returned 1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".ini") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".dll") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".url") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".ttf") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".mp3") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".pif") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".mp4") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".NEFILIM") returned -1 [0268.876] lstrcmpiW (lpString1=".DAT", lpString2=".msi") returned -1 [0268.877] lstrcmpiW (lpString1=".DAT", lpString2=".lnk") returned -1 [0268.877] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.877] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0268.877] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0268.879] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=65536) returned 1 [0268.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1328 [0268.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1478 [0268.879] SystemFunction036 (in: RandomBuffer=0x28d1328, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1328) returned 1 [0268.879] SystemFunction036 (in: RandomBuffer=0x28d1478, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1478) returned 1 [0268.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2330 [0268.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2438 [0268.879] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2330*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28d2330*, pdwDataLen=0x26ef248*=0x100) returned 1 [0268.880] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2438*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28d2438*, pdwDataLen=0x26ef244*=0x100) returned 1 [0268.882] GetTickCount () returned 0x11836bd [0268.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0268.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.882] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.882] SetLastError (dwErrCode=0x0) [0268.882] WriteFile (in: hFile=0x260, lpBuffer=0x28d2330*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d2330*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0268.883] GetLastError () returned 0x0 [0268.884] GetLastError () returned 0x0 [0268.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.884] WriteFile (in: hFile=0x260, lpBuffer=0x28d2438*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d2438*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0268.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.884] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc694a18d, dwHighDateTime=0x1d5fd73)) [0268.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.884] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.884] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0268.884] GetProcessHeap () returned 0xa10000 [0268.884] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x10000) returned 0xa3b688 [0268.885] GetSystemDefaultLangID () returned 0xa20409 [0268.885] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.885] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x10000, lpOverlapped=0x0) returned 1 [0268.896] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0268.896] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x10000, lpOverlapped=0x0) returned 1 [0268.898] GetProcessHeap () returned 0xa10000 [0268.898] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0268.898] CloseHandle (hObject=0x260) returned 1 [0268.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2438 | out: hHeap=0x28d0000) returned 1 [0268.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1328 | out: hHeap=0x28d0000) returned 1 [0268.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.909] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.909] MoveFileW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\BOOTSTAT.DAT.NEFILIM" (normalized: "c:\\boot\\bootstat.dat.nefilim")) returned 1 [0268.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.911] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0268.911] lstrcmpiW (lpString1="bootvhd.dll", lpString2=".") returned 1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="..") returned 1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="...") returned 1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="windows") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="$RECYCLE.BIN") returned 1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="rsa") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="NTDETECT.COM") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="ntldr") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="MSDOS.SYS") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="IO.SYS") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="boot.ini") returned 1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="AUTOEXEC.BAT") returned 1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="ntuser.dat") returned -1 [0268.912] lstrcmpiW (lpString1="bootvhd.dll", lpString2="desktop.ini") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="CONFIG.SYS") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="RECYCLER") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="BOOTSECT.BAK") returned 1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="bootmgr") returned 1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="programdata") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="appdata") returned 1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="program files") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="program files (x86)") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="microsoft") returned -1 [0268.913] lstrcmpiW (lpString1="bootvhd.dll", lpString2="sophos") returned -1 [0268.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d20d8 [0268.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.913] PathFindExtensionW (pszPath="bootvhd.dll") returned=".dll" [0268.913] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0268.913] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0268.913] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0268.913] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0268.913] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0268.913] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0268.914] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0268.914] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0268.914] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="...") returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="$RECYCLE.BIN") returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="rsa") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="NTDETECT.COM") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="ntldr") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="MSDOS.SYS") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="IO.SYS") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="boot.ini") returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="AUTOEXEC.BAT") returned 1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="ntuser.dat") returned -1 [0268.914] lstrcmpiW (lpString1="cs-CZ", lpString2="desktop.ini") returned -1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="CONFIG.SYS") returned 1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="RECYCLER") returned -1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="BOOTSECT.BAK") returned 1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="bootmgr") returned 1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="programdata") returned -1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="appdata") returned 1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="program files") returned -1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="program files (x86)") returned -1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="microsoft") returned -1 [0268.915] lstrcmpiW (lpString1="cs-CZ", lpString2="sophos") returned -1 [0268.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0268.916] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0268.919] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.919] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.919] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.919] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.919] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.919] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.919] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.919] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.919] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.919] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.919] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.920] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.921] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.921] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.921] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.922] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.923] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.923] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.923] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.924] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1500 [0268.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d2100 [0268.924] SystemFunction036 (in: RandomBuffer=0x28d1500, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1500) returned 1 [0268.924] SystemFunction036 (in: RandomBuffer=0x28d2100, RandomBufferLength=0x10 | out: RandomBuffer=0x28d2100) returned 1 [0268.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2378 [0268.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d2480 [0268.924] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2378*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d2378*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.925] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d2480*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d2480*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.926] GetTickCount () returned 0x11836ec [0268.926] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2588 [0268.926] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2588 | out: hHeap=0x28d0000) returned 1 [0268.926] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.926] SetLastError (dwErrCode=0x0) [0268.926] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d2378, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.926] GetLastError () returned 0x6 [0268.926] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.926] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0268.927] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0268.928] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0268.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.928] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0268.928] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.928] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.928] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.928] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.929] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.929] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.929] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.929] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.930] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d1318 [0268.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d2588 [0268.930] SystemFunction036 (in: RandomBuffer=0x28d1318, RandomBufferLength=0x10 | out: RandomBuffer=0x28d1318) returned 1 [0268.930] SystemFunction036 (in: RandomBuffer=0x28d2588, RandomBufferLength=0x10 | out: RandomBuffer=0x28d2588) returned 1 [0268.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d25a0 [0268.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d26a8 [0268.931] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d25a0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d25a0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.931] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d26a8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d26a8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.932] GetTickCount () returned 0x11836ec [0268.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d27b0 [0268.932] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d27b0 | out: hHeap=0x28d0000) returned 1 [0268.932] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.932] SetLastError (dwErrCode=0x0) [0268.932] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d25a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.932] GetLastError () returned 0x6 [0268.932] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.932] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0268.932] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0268.933] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.933] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.933] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.933] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="da-DK", cAlternateFileName="")) returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="...") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="$RECYCLE.BIN") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="rsa") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="NTDETECT.COM") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="ntldr") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="MSDOS.SYS") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="IO.SYS") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="boot.ini") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="AUTOEXEC.BAT") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="ntuser.dat") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="desktop.ini") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="CONFIG.SYS") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="RECYCLER") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="BOOTSECT.BAK") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="bootmgr") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="programdata") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="appdata") returned 1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="program files") returned -1 [0268.933] lstrcmpiW (lpString1="da-DK", lpString2="program files (x86)") returned -1 [0268.934] lstrcmpiW (lpString1="da-DK", lpString2="microsoft") returned -1 [0268.934] lstrcmpiW (lpString1="da-DK", lpString2="sophos") returned -1 [0268.934] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.934] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.934] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.934] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.934] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0268.934] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0268.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.935] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.935] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.935] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.935] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.935] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.936] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.936] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.936] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.936] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.936] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.937] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.937] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.937] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.937] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.937] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.937] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.937] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.937] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d27b0 [0268.937] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d27c8 [0268.937] SystemFunction036 (in: RandomBuffer=0x28d27b0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d27b0) returned 1 [0268.937] SystemFunction036 (in: RandomBuffer=0x28d27c8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d27c8) returned 1 [0268.937] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d27e0 [0268.937] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d28e8 [0268.937] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d27e0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d27e0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.938] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d28e8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d28e8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.938] GetTickCount () returned 0x11836fc [0268.938] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d29f0 [0268.938] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d29f0 | out: hHeap=0x28d0000) returned 1 [0268.938] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.938] SetLastError (dwErrCode=0x0) [0268.938] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d27e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.938] GetLastError () returned 0x6 [0268.938] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.938] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0268.939] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0268.939] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.939] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.939] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0268.939] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.940] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.940] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.940] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.940] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.940] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.940] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d29f0 [0268.940] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d2a08 [0268.941] SystemFunction036 (in: RandomBuffer=0x28d29f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d29f0) returned 1 [0268.941] SystemFunction036 (in: RandomBuffer=0x28d2a08, RandomBufferLength=0x10 | out: RandomBuffer=0x28d2a08) returned 1 [0268.941] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d04a0 [0268.944] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d5950 [0268.944] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d04a0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d04a0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.945] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d5950*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d5950*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.945] GetTickCount () returned 0x11836fc [0268.945] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d5a58 [0268.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d5a58 | out: hHeap=0x28d0000) returned 1 [0268.945] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.945] SetLastError (dwErrCode=0x0) [0268.945] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d04a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.945] GetLastError () returned 0x6 [0268.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.945] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0268.946] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0268.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.946] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="de-DE", cAlternateFileName="")) returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="...") returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="$RECYCLE.BIN") returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="rsa") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="NTDETECT.COM") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="ntldr") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="MSDOS.SYS") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="IO.SYS") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="boot.ini") returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="AUTOEXEC.BAT") returned 1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="ntuser.dat") returned -1 [0268.946] lstrcmpiW (lpString1="de-DE", lpString2="desktop.ini") returned -1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="CONFIG.SYS") returned 1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="RECYCLER") returned -1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="BOOTSECT.BAK") returned 1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="bootmgr") returned 1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="programdata") returned -1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="appdata") returned 1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="program files") returned -1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="program files (x86)") returned -1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="microsoft") returned -1 [0268.947] lstrcmpiW (lpString1="de-DE", lpString2="sophos") returned -1 [0268.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.948] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0268.948] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f9e0 [0268.949] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.949] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.950] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.950] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.951] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.951] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.951] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.951] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.951] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.951] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.952] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.952] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5a58 [0268.952] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5c48 [0268.952] SystemFunction036 (in: RandomBuffer=0x28d5a58, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5a58) returned 1 [0268.952] SystemFunction036 (in: RandomBuffer=0x28d5c48, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5c48) returned 1 [0268.952] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6078 [0268.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6180 [0268.953] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6078*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d6078*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.953] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6180*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d6180*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.953] GetTickCount () returned 0x118370b [0268.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d6288 [0268.953] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d6288 | out: hHeap=0x28d0000) returned 1 [0268.953] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.953] SetLastError (dwErrCode=0x0) [0268.954] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d6078, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.954] GetLastError () returned 0x6 [0268.954] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.954] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0268.954] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0268.955] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0268.955] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.955] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.955] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.955] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.955] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.955] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.955] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.956] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.956] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5b70 [0268.956] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5b58 [0268.956] SystemFunction036 (in: RandomBuffer=0x28d5b70, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5b70) returned 1 [0268.956] SystemFunction036 (in: RandomBuffer=0x28d5b58, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5b58) returned 1 [0268.956] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6288 [0268.956] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6390 [0268.956] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6288*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d6288*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.956] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6390*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d6390*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.957] GetTickCount () returned 0x118370b [0268.957] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d6498 [0268.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d6498 | out: hHeap=0x28d0000) returned 1 [0268.957] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.957] SetLastError (dwErrCode=0x0) [0268.957] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d6288, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.957] GetLastError () returned 0x6 [0268.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.957] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0268.957] FindClose (in: hFindFile=0xa2f9e0 | out: hFindFile=0xa2f9e0) returned 1 [0268.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.957] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="el-GR", cAlternateFileName="")) returned 1 [0268.957] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0268.957] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0268.957] lstrcmpiW (lpString1="el-GR", lpString2="...") returned 1 [0268.957] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0268.957] lstrcmpiW (lpString1="el-GR", lpString2="$RECYCLE.BIN") returned 1 [0268.957] lstrcmpiW (lpString1="el-GR", lpString2="rsa") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="NTDETECT.COM") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="ntldr") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="MSDOS.SYS") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="IO.SYS") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="boot.ini") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="AUTOEXEC.BAT") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="ntuser.dat") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="desktop.ini") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="CONFIG.SYS") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="RECYCLER") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="BOOTSECT.BAK") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="bootmgr") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="programdata") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="appdata") returned 1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="program files") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="program files (x86)") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="microsoft") returned -1 [0268.958] lstrcmpiW (lpString1="el-GR", lpString2="sophos") returned -1 [0268.958] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.958] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.958] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.958] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.958] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0268.958] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0268.959] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.959] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.959] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.959] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.959] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.960] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.960] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.960] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.960] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.960] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.961] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.961] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.961] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5c60 [0268.961] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5b88 [0268.961] SystemFunction036 (in: RandomBuffer=0x28d5c60, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5c60) returned 1 [0268.961] SystemFunction036 (in: RandomBuffer=0x28d5b88, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5b88) returned 1 [0268.961] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6bf8 [0268.962] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d64c0 [0268.962] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6bf8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d6bf8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.962] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d64c0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d64c0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.962] GetTickCount () returned 0x118370b [0268.962] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.962] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.962] SetLastError (dwErrCode=0x0) [0268.963] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d6bf8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.963] GetLastError () returned 0x6 [0268.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.963] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0268.963] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0268.964] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0268.964] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0268.964] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0268.964] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0268.964] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0268.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.964] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.964] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.964] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.965] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.965] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.965] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.966] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5ae0 [0268.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5ba0 [0268.966] SystemFunction036 (in: RandomBuffer=0x28d5ae0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5ae0) returned 1 [0268.966] SystemFunction036 (in: RandomBuffer=0x28d5ba0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5ba0) returned 1 [0268.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d68e0 [0268.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6d00 [0268.966] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d68e0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d68e0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.967] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6d00*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d6d00*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.967] GetTickCount () returned 0x118371b [0268.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.967] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.967] SetLastError (dwErrCode=0x0) [0268.967] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d68e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.967] GetLastError () returned 0x6 [0268.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.967] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0268.967] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0268.968] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.968] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.968] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.968] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="en-GB", cAlternateFileName="")) returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2=".") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="..") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="...") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="windows") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="$RECYCLE.BIN") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="rsa") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="NTDETECT.COM") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="ntldr") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="MSDOS.SYS") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="IO.SYS") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="boot.ini") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="AUTOEXEC.BAT") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="ntuser.dat") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="desktop.ini") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="CONFIG.SYS") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="RECYCLER") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="BOOTSECT.BAK") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="bootmgr") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="programdata") returned -1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="appdata") returned 1 [0268.968] lstrcmpiW (lpString1="en-GB", lpString2="program files") returned -1 [0268.969] lstrcmpiW (lpString1="en-GB", lpString2="program files (x86)") returned -1 [0268.969] lstrcmpiW (lpString1="en-GB", lpString2="microsoft") returned -1 [0268.969] lstrcmpiW (lpString1="en-GB", lpString2="sophos") returned -1 [0268.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.969] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0268.969] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0268.969] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.969] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.969] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.969] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.969] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.969] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.969] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.970] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.970] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.970] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.970] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.970] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.971] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.971] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.971] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.971] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5bb8 [0268.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5c18 [0268.972] SystemFunction036 (in: RandomBuffer=0x28d5bb8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5bb8) returned 1 [0268.972] SystemFunction036 (in: RandomBuffer=0x28d5c18, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5c18) returned 1 [0268.972] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6e08 [0268.972] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d67d8 [0268.972] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6e08*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d6e08*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.972] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d67d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d67d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.973] GetTickCount () returned 0x118371b [0268.973] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.973] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.973] SetLastError (dwErrCode=0x0) [0268.973] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d6e08, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.973] GetLastError () returned 0x6 [0268.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.973] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0268.973] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0268.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.973] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="en-US", cAlternateFileName="")) returned 1 [0268.973] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0268.973] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0268.973] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0268.973] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0268.973] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="microsoft") returned -1 [0268.974] lstrcmpiW (lpString1="en-US", lpString2="sophos") returned -1 [0268.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0268.974] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0268.975] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.975] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.975] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.975] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.975] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.975] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.976] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.976] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.976] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.976] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.977] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.977] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.977] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.977] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.978] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5af8 [0268.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5b40 [0268.978] SystemFunction036 (in: RandomBuffer=0x28d5af8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5af8) returned 1 [0268.978] SystemFunction036 (in: RandomBuffer=0x28d5b40, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5b40) returned 1 [0268.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7018 [0268.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d65c8 [0268.978] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7018*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d7018*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.978] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d65c8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d65c8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.979] GetTickCount () returned 0x118371b [0268.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.979] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.979] SetLastError (dwErrCode=0x0) [0268.979] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d7018, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.979] GetLastError () returned 0x6 [0268.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.979] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.979] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0268.980] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0268.980] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.980] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.980] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.981] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.981] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.981] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.981] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5bd0 [0268.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5ab0 [0268.981] SystemFunction036 (in: RandomBuffer=0x28d5bd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5bd0) returned 1 [0268.981] SystemFunction036 (in: RandomBuffer=0x28d5ab0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5ab0) returned 1 [0268.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7120 [0268.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6f10 [0268.981] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7120*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d7120*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.982] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6f10*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d6f10*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.982] GetTickCount () returned 0x118372b [0268.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.982] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.982] SetLastError (dwErrCode=0x0) [0268.983] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d7120, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.983] GetLastError () returned 0x6 [0268.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.983] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0268.983] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0268.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.983] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="es-ES", cAlternateFileName="")) returned 1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="...") returned 1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="$RECYCLE.BIN") returned 1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="rsa") returned -1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="NTDETECT.COM") returned -1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="ntldr") returned -1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="MSDOS.SYS") returned -1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="IO.SYS") returned -1 [0268.983] lstrcmpiW (lpString1="es-ES", lpString2="boot.ini") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="AUTOEXEC.BAT") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="ntuser.dat") returned -1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="desktop.ini") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="CONFIG.SYS") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="RECYCLER") returned -1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="BOOTSECT.BAK") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="bootmgr") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="programdata") returned -1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="appdata") returned 1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="program files") returned -1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="program files (x86)") returned -1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="microsoft") returned -1 [0268.984] lstrcmpiW (lpString1="es-ES", lpString2="sophos") returned -1 [0268.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0268.984] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0268.985] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.985] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.985] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.985] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.985] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.985] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.986] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.986] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.986] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.986] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.986] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.986] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.987] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.987] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.987] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.987] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5b10 [0268.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5a98 [0268.987] SystemFunction036 (in: RandomBuffer=0x28d5b10, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5b10) returned 1 [0268.987] SystemFunction036 (in: RandomBuffer=0x28d5a98, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5a98) returned 1 [0268.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7228 [0268.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7330 [0268.987] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7228*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d7228*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.988] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7330*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d7330*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.988] GetTickCount () returned 0x118372b [0268.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.988] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.988] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.988] SetLastError (dwErrCode=0x0) [0268.988] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d7228, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.988] GetLastError () returned 0x6 [0268.988] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.988] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0268.988] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0268.988] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0268.988] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0268.989] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0268.989] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.989] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.989] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0268.989] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.989] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.989] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.989] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.990] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.990] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.990] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.992] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5ac8 [0268.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5b28 [0268.992] SystemFunction036 (in: RandomBuffer=0x28d5ac8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5ac8) returned 1 [0268.992] SystemFunction036 (in: RandomBuffer=0x28d5b28, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5b28) returned 1 [0268.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d66d0 [0268.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d69e8 [0268.992] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d66d0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d66d0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.992] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d69e8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d69e8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.993] GetTickCount () returned 0x118372b [0268.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d74a0 [0268.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d74a0 | out: hHeap=0x28d0000) returned 1 [0268.993] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.993] SetLastError (dwErrCode=0x0) [0268.993] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d66d0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0268.993] GetLastError () returned 0x6 [0268.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0268.993] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0268.993] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0268.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0268.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0268.994] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="es-MX", cAlternateFileName="")) returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2=".") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="..") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="...") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="windows") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="$RECYCLE.BIN") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="rsa") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="NTDETECT.COM") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="ntldr") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="MSDOS.SYS") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="IO.SYS") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="boot.ini") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="AUTOEXEC.BAT") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="ntuser.dat") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="desktop.ini") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="CONFIG.SYS") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="RECYCLER") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="BOOTSECT.BAK") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="bootmgr") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="programdata") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="appdata") returned 1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="program files") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="program files (x86)") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="microsoft") returned -1 [0268.994] lstrcmpiW (lpString1="es-MX", lpString2="sophos") returned -1 [0268.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0268.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0268.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0268.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0268.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0268.995] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0268.995] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0268.996] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0268.996] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0268.996] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0268.996] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0268.996] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0268.997] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0268.997] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0268.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0268.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0268.997] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0268.997] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0268.997] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0268.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0268.997] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.998] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0268.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5be8 [0268.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5c00 [0268.998] SystemFunction036 (in: RandomBuffer=0x28d5be8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5be8) returned 1 [0268.998] SystemFunction036 (in: RandomBuffer=0x28d5c00, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5c00) returned 1 [0268.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d6af0 [0268.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d90a0 [0268.998] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d6af0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d6af0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0268.999] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d90a0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d90a0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0268.999] GetTickCount () returned 0x118373a [0268.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d94a8 [0268.999] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d94a8 | out: hHeap=0x28d0000) returned 1 [0268.999] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0268.999] SetLastError (dwErrCode=0x0) [0268.999] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d6af0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.000] GetLastError () returned 0x6 [0269.000] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.000] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.000] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0269.000] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.000] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.000] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.000] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="et-EE", cAlternateFileName="")) returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2=".") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="..") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="...") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="windows") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="$RECYCLE.BIN") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="rsa") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="NTDETECT.COM") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="ntldr") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="MSDOS.SYS") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="IO.SYS") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="boot.ini") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="AUTOEXEC.BAT") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="ntuser.dat") returned -1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="desktop.ini") returned 1 [0269.000] lstrcmpiW (lpString1="et-EE", lpString2="CONFIG.SYS") returned 1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="RECYCLER") returned -1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="BOOTSECT.BAK") returned 1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="bootmgr") returned 1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="programdata") returned -1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="appdata") returned 1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="program files") returned -1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="program files (x86)") returned -1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="microsoft") returned -1 [0269.001] lstrcmpiW (lpString1="et-EE", lpString2="sophos") returned -1 [0269.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.001] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.001] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0269.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.001] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.001] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.002] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.002] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.002] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.003] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.003] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.003] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.005] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.005] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d5c30 [0269.005] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9520 [0269.005] SystemFunction036 (in: RandomBuffer=0x28d5c30, RandomBufferLength=0x10 | out: RandomBuffer=0x28d5c30) returned 1 [0269.005] SystemFunction036 (in: RandomBuffer=0x28d9520, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9520) returned 1 [0269.005] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d77e0 [0269.005] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d78e8 [0269.005] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d77e0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d77e0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.005] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d78e8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d78e8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.006] GetTickCount () returned 0x118373a [0269.006] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.006] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.006] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.006] SetLastError (dwErrCode=0x0) [0269.006] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d77e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.006] GetLastError () returned 0x6 [0269.006] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.006] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.006] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0269.006] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.006] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.006] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.006] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0269.006] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="...") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="$RECYCLE.BIN") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="rsa") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="NTDETECT.COM") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="ntldr") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="MSDOS.SYS") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="IO.SYS") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="boot.ini") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="AUTOEXEC.BAT") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="ntuser.dat") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="desktop.ini") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="CONFIG.SYS") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="RECYCLER") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="BOOTSECT.BAK") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="bootmgr") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="programdata") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="appdata") returned 1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="program files") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="program files (x86)") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="microsoft") returned -1 [0269.007] lstrcmpiW (lpString1="fi-FI", lpString2="sophos") returned -1 [0269.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.008] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.008] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f360 [0269.008] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.008] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.008] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.008] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.008] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.009] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.009] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.009] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.010] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.010] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.010] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.010] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.010] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.010] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.010] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.010] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.010] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9778 [0269.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d94f0 [0269.010] SystemFunction036 (in: RandomBuffer=0x28d9778, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9778) returned 1 [0269.010] SystemFunction036 (in: RandomBuffer=0x28d94f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d94f0) returned 1 [0269.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d74c8 [0269.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8860 [0269.011] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d74c8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d74c8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.011] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8860*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8860*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.011] GetTickCount () returned 0x118374a [0269.011] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.011] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.012] SetLastError (dwErrCode=0x0) [0269.012] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d74c8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.012] GetLastError () returned 0x6 [0269.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.012] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.012] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.013] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.013] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.013] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.013] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.013] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.013] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.013] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.014] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.014] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9790 [0269.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9640 [0269.014] SystemFunction036 (in: RandomBuffer=0x28d9790, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9790) returned 1 [0269.014] SystemFunction036 (in: RandomBuffer=0x28d9640, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9640) returned 1 [0269.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7d08 [0269.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7af8 [0269.014] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7d08*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d7d08*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.014] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7af8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d7af8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.015] GetTickCount () returned 0x118374a [0269.015] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.015] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.015] SetLastError (dwErrCode=0x0) [0269.015] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d7d08, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.015] GetLastError () returned 0x6 [0269.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.015] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.015] FindClose (in: hFindFile=0xa2f360 | out: hFindFile=0xa2f360) returned 1 [0269.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.016] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="Fonts", cAlternateFileName="")) returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="...") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="windows") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="$RECYCLE.BIN") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="rsa") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="NTDETECT.COM") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="ntldr") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="MSDOS.SYS") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="IO.SYS") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="boot.ini") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="AUTOEXEC.BAT") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="ntuser.dat") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="desktop.ini") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="CONFIG.SYS") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="RECYCLER") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="BOOTSECT.BAK") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="bootmgr") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="programdata") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="appdata") returned 1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="program files") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="program files (x86)") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="microsoft") returned -1 [0269.016] lstrcmpiW (lpString1="Fonts", lpString2="sophos") returned -1 [0269.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.017] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f220 [0269.020] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.020] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.020] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.020] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.020] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="...") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="windows") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="rsa") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntldr") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="IO.SYS") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="boot.ini") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="desktop.ini") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="CONFIG.SYS") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="RECYCLER") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="bootmgr") returned 1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="programdata") returned -1 [0269.020] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="appdata") returned 1 [0269.021] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files") returned -1 [0269.021] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files (x86)") returned -1 [0269.021] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="microsoft") returned -1 [0269.021] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="sophos") returned -1 [0269.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.021] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.021] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.021] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0269.021] lstrcmpiW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0269.021] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0269.021] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="...") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="windows") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="rsa") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntldr") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="IO.SYS") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="boot.ini") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="desktop.ini") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="CONFIG.SYS") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="RECYCLER") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="bootmgr") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="programdata") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="appdata") returned 1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files (x86)") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="microsoft") returned -1 [0269.022] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="sophos") returned -1 [0269.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.022] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0269.022] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.022] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.023] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.023] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="...") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="windows") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="rsa") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntldr") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="IO.SYS") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="boot.ini") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="desktop.ini") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="RECYCLER") returned -1 [0269.023] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="bootmgr") returned 1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="programdata") returned -1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="appdata") returned 1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files") returned -1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files (x86)") returned -1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="microsoft") returned -1 [0269.024] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="sophos") returned -1 [0269.024] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.024] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.024] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.024] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.024] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0269.024] lstrcmpiW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0269.024] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0269.024] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="...") returned 1 [0269.024] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="windows") returned -1 [0269.024] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="rsa") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntldr") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="IO.SYS") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="boot.ini") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="desktop.ini") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="RECYCLER") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="bootmgr") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="programdata") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="appdata") returned 1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files (x86)") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="microsoft") returned -1 [0269.025] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="sophos") returned -1 [0269.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.025] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.025] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0269.025] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.025] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.025] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.025] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.025] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.026] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.026] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.026] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.026] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.026] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.026] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0269.026] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2=".") returned 1 [0269.026] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="..") returned 1 [0269.026] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="...") returned 1 [0269.026] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="windows") returned -1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="rsa") returned -1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="ntldr") returned -1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="IO.SYS") returned 1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="boot.ini") returned 1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.027] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="desktop.ini") returned 1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="RECYCLER") returned -1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="bootmgr") returned 1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="programdata") returned -1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="appdata") returned 1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="program files") returned -1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="program files (x86)") returned -1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="microsoft") returned -1 [0269.028] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="sophos") returned -1 [0269.028] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.028] PathFindExtensionW (pszPath="malgunn_boot.ttf") returned=".ttf" [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.028] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.028] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0269.028] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2=".") returned 1 [0269.028] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="..") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="...") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="windows") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="rsa") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="ntldr") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="IO.SYS") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="boot.ini") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="desktop.ini") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="RECYCLER") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="bootmgr") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="programdata") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="appdata") returned 1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="program files") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="program files (x86)") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="microsoft") returned -1 [0269.029] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="sophos") returned -1 [0269.029] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.029] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.029] PathFindExtensionW (pszPath="malgun_boot.ttf") returned=".ttf" [0269.029] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.029] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.030] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.030] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2=".") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="..") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="...") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="windows") returned -1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="rsa") returned -1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="ntldr") returned -1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="IO.SYS") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="boot.ini") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="desktop.ini") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.030] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="RECYCLER") returned -1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="bootmgr") returned 1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="programdata") returned -1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="appdata") returned 1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="program files") returned -1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="program files (x86)") returned -1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="microsoft") returned -1 [0269.031] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="sophos") returned -1 [0269.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.031] PathFindExtensionW (pszPath="meiryon_boot.ttf") returned=".ttf" [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.031] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.031] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0269.031] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2=".") returned 1 [0269.031] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="..") returned 1 [0269.031] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="...") returned 1 [0269.031] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="windows") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="rsa") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="ntldr") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="IO.SYS") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="boot.ini") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="desktop.ini") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="RECYCLER") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="bootmgr") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="programdata") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="appdata") returned 1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="program files") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="program files (x86)") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="microsoft") returned -1 [0269.032] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="sophos") returned -1 [0269.032] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.032] PathFindExtensionW (pszPath="meiryo_boot.ttf") returned=".ttf" [0269.032] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.032] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.032] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.033] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.033] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2=".") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="..") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="...") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="windows") returned -1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="rsa") returned -1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="ntldr") returned -1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="IO.SYS") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="boot.ini") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="desktop.ini") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="RECYCLER") returned -1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.033] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="bootmgr") returned 1 [0269.034] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="programdata") returned -1 [0269.034] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="appdata") returned 1 [0269.034] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="program files") returned -1 [0269.034] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="program files (x86)") returned -1 [0269.034] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="microsoft") returned 1 [0269.034] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="sophos") returned -1 [0269.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.034] PathFindExtensionW (pszPath="msjhn_boot.ttf") returned=".ttf" [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.034] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.034] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0269.034] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2=".") returned 1 [0269.034] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="..") returned 1 [0269.034] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="...") returned 1 [0269.034] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="windows") returned -1 [0269.034] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="rsa") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="ntldr") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="IO.SYS") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="boot.ini") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="desktop.ini") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="RECYCLER") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="bootmgr") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="programdata") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="appdata") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="program files") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="program files (x86)") returned -1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="microsoft") returned 1 [0269.035] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="sophos") returned -1 [0269.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.035] PathFindExtensionW (pszPath="msjh_boot.ttf") returned=".ttf" [0269.035] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.035] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.035] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.035] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.035] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.036] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.036] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.036] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.036] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.036] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.036] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2=".") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="..") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="...") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="windows") returned -1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="rsa") returned -1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="ntldr") returned -1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="IO.SYS") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="boot.ini") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="desktop.ini") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="RECYCLER") returned -1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="bootmgr") returned 1 [0269.036] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="programdata") returned -1 [0269.037] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="appdata") returned 1 [0269.037] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="program files") returned -1 [0269.037] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="program files (x86)") returned -1 [0269.037] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="microsoft") returned 1 [0269.037] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="sophos") returned -1 [0269.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.037] PathFindExtensionW (pszPath="msyhn_boot.ttf") returned=".ttf" [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.037] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.037] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2=".") returned 1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="..") returned 1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="...") returned 1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="windows") returned -1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="rsa") returned -1 [0269.037] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="ntldr") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="IO.SYS") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="boot.ini") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="ntuser.dat") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="desktop.ini") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="RECYCLER") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="bootmgr") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="programdata") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="appdata") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="program files") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="program files (x86)") returned -1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="microsoft") returned 1 [0269.038] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="sophos") returned -1 [0269.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.038] PathFindExtensionW (pszPath="msyh_boot.ttf") returned=".ttf" [0269.038] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.038] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.038] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.038] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.038] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.038] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.039] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.039] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.039] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.039] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.039] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2=".") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="..") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="...") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="windows") returned -1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="rsa") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="NTDETECT.COM") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="ntldr") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="IO.SYS") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="boot.ini") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="ntuser.dat") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="desktop.ini") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="RECYCLER") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="bootmgr") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="programdata") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="appdata") returned 1 [0269.039] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="program files") returned 1 [0269.040] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="program files (x86)") returned 1 [0269.040] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="microsoft") returned 1 [0269.040] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="sophos") returned -1 [0269.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.040] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.040] PathFindExtensionW (pszPath="segmono_boot.ttf") returned=".ttf" [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.040] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.040] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2=".") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="..") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="...") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="windows") returned -1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="rsa") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="NTDETECT.COM") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="ntldr") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.040] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="IO.SYS") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="boot.ini") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="ntuser.dat") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="desktop.ini") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="RECYCLER") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="bootmgr") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="programdata") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="appdata") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="program files") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="program files (x86)") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="microsoft") returned 1 [0269.041] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="sophos") returned -1 [0269.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.041] PathFindExtensionW (pszPath="segoen_slboot.ttf") returned=".ttf" [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.041] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.041] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0269.041] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2=".") returned 1 [0269.041] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="..") returned 1 [0269.041] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="...") returned 1 [0269.041] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="windows") returned -1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="rsa") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="NTDETECT.COM") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="ntldr") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="IO.SYS") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="boot.ini") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="ntuser.dat") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="desktop.ini") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="RECYCLER") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="bootmgr") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="programdata") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="appdata") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="program files") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="program files (x86)") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="microsoft") returned 1 [0269.042] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="sophos") returned -1 [0269.042] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.042] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.042] PathFindExtensionW (pszPath="segoe_slboot.ttf") returned=".ttf" [0269.042] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.042] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.042] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.042] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.042] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.043] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.043] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.043] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.043] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.043] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.043] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="...") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="windows") returned -1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="rsa") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="NTDETECT.COM") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntldr") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="IO.SYS") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="boot.ini") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntuser.dat") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="desktop.ini") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="RECYCLER") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="bootmgr") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="programdata") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="appdata") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files (x86)") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="microsoft") returned 1 [0269.043] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="sophos") returned 1 [0269.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.044] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0269.044] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0269.044] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0269.044] FindClose (in: hFindFile=0xa2f220 | out: hFindFile=0xa2f220) returned 1 [0269.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.045] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2=".") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="..") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="...") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="windows") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="$RECYCLE.BIN") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="rsa") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="NTDETECT.COM") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="ntldr") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="MSDOS.SYS") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="IO.SYS") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="boot.ini") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="AUTOEXEC.BAT") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="ntuser.dat") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="desktop.ini") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="CONFIG.SYS") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="RECYCLER") returned -1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="BOOTSECT.BAK") returned 1 [0269.045] lstrcmpiW (lpString1="fr-CA", lpString2="bootmgr") returned 1 [0269.046] lstrcmpiW (lpString1="fr-CA", lpString2="programdata") returned -1 [0269.046] lstrcmpiW (lpString1="fr-CA", lpString2="appdata") returned 1 [0269.046] lstrcmpiW (lpString1="fr-CA", lpString2="program files") returned -1 [0269.046] lstrcmpiW (lpString1="fr-CA", lpString2="program files (x86)") returned -1 [0269.046] lstrcmpiW (lpString1="fr-CA", lpString2="microsoft") returned -1 [0269.046] lstrcmpiW (lpString1="fr-CA", lpString2="sophos") returned -1 [0269.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.046] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f9e0 [0269.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.047] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.047] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.048] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.048] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.048] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.048] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d96b8 [0269.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9580 [0269.049] SystemFunction036 (in: RandomBuffer=0x28d96b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d96b8) returned 1 [0269.049] SystemFunction036 (in: RandomBuffer=0x28d9580, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9580) returned 1 [0269.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d91a8 [0269.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8a70 [0269.049] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d91a8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d91a8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.049] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8a70*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8a70*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.049] GetTickCount () returned 0x1183769 [0269.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.049] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.049] SetLastError (dwErrCode=0x0) [0269.049] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d91a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.049] GetLastError () returned 0x6 [0269.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.049] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.050] FindClose (in: hFindFile=0xa2f9e0 | out: hFindFile=0xa2f9e0) returned 1 [0269.050] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.050] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.050] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.050] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="...") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="$RECYCLE.BIN") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="rsa") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="NTDETECT.COM") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="ntldr") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="MSDOS.SYS") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="IO.SYS") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="boot.ini") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="AUTOEXEC.BAT") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="ntuser.dat") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="desktop.ini") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="CONFIG.SYS") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="RECYCLER") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="BOOTSECT.BAK") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="bootmgr") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="programdata") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="appdata") returned 1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="program files") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="program files (x86)") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="microsoft") returned -1 [0269.050] lstrcmpiW (lpString1="fr-FR", lpString2="sophos") returned -1 [0269.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.051] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f4a0 [0269.051] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.051] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.051] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.051] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.051] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.051] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.052] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.052] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.052] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.052] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.052] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.052] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.053] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9628 [0269.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9538 [0269.053] SystemFunction036 (in: RandomBuffer=0x28d9628, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9628) returned 1 [0269.053] SystemFunction036 (in: RandomBuffer=0x28d9538, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9538) returned 1 [0269.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8758 [0269.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8b78 [0269.053] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8758*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8758*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.053] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8b78*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8b78*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.053] GetTickCount () returned 0x1183769 [0269.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.053] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.053] SetLastError (dwErrCode=0x0) [0269.054] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8758, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.054] GetLastError () returned 0x6 [0269.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.054] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.054] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.054] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.054] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.054] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.055] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.055] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.055] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.056] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9598 [0269.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9658 [0269.056] SystemFunction036 (in: RandomBuffer=0x28d9598, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9598) returned 1 [0269.056] SystemFunction036 (in: RandomBuffer=0x28d9658, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9658) returned 1 [0269.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d92b0 [0269.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8c80 [0269.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d92b0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d92b0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8c80*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8c80*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.057] GetTickCount () returned 0x1183769 [0269.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.057] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.057] SetLastError (dwErrCode=0x0) [0269.057] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d92b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.057] GetLastError () returned 0x6 [0269.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.057] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.057] FindClose (in: hFindFile=0xa2f4a0 | out: hFindFile=0xa2f4a0) returned 1 [0269.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.089] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.089] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.089] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0269.089] lstrcmpiW (lpString1="hr-HR", lpString2=".") returned 1 [0269.089] lstrcmpiW (lpString1="hr-HR", lpString2="..") returned 1 [0269.089] lstrcmpiW (lpString1="hr-HR", lpString2="...") returned 1 [0269.089] lstrcmpiW (lpString1="hr-HR", lpString2="windows") returned -1 [0269.089] lstrcmpiW (lpString1="hr-HR", lpString2="$RECYCLE.BIN") returned 1 [0269.089] lstrcmpiW (lpString1="hr-HR", lpString2="rsa") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="NTDETECT.COM") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="ntldr") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="MSDOS.SYS") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="IO.SYS") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="boot.ini") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="AUTOEXEC.BAT") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="ntuser.dat") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="desktop.ini") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="CONFIG.SYS") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="RECYCLER") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="BOOTSECT.BAK") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="bootmgr") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="programdata") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="appdata") returned 1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="program files") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="program files (x86)") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="microsoft") returned -1 [0269.090] lstrcmpiW (lpString1="hr-HR", lpString2="sophos") returned -1 [0269.090] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.090] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.090] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.090] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.090] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.090] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0269.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.091] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.091] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.091] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.092] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.092] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.092] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.092] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.092] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.093] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.093] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.093] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.093] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9568 [0269.093] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9670 [0269.093] SystemFunction036 (in: RandomBuffer=0x28d9568, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9568) returned 1 [0269.093] SystemFunction036 (in: RandomBuffer=0x28d9670, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9670) returned 1 [0269.093] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8020 [0269.093] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7e10 [0269.093] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8020*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8020*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.094] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7e10*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d7e10*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.094] GetTickCount () returned 0x1183798 [0269.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.094] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.094] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.094] SetLastError (dwErrCode=0x0) [0269.094] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8020, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.094] GetLastError () returned 0x6 [0269.094] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.094] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.095] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0269.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.095] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="...") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="$RECYCLE.BIN") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="rsa") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="NTDETECT.COM") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="ntldr") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="MSDOS.SYS") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="IO.SYS") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="boot.ini") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="AUTOEXEC.BAT") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="ntuser.dat") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="desktop.ini") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="CONFIG.SYS") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="RECYCLER") returned -1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="BOOTSECT.BAK") returned 1 [0269.095] lstrcmpiW (lpString1="hu-HU", lpString2="bootmgr") returned 1 [0269.096] lstrcmpiW (lpString1="hu-HU", lpString2="programdata") returned -1 [0269.096] lstrcmpiW (lpString1="hu-HU", lpString2="appdata") returned 1 [0269.096] lstrcmpiW (lpString1="hu-HU", lpString2="program files") returned -1 [0269.096] lstrcmpiW (lpString1="hu-HU", lpString2="program files (x86)") returned -1 [0269.096] lstrcmpiW (lpString1="hu-HU", lpString2="microsoft") returned -1 [0269.096] lstrcmpiW (lpString1="hu-HU", lpString2="sophos") returned -1 [0269.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.096] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.096] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0269.096] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.096] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.096] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.096] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.096] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.096] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.096] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.097] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.097] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.097] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.098] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.098] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.098] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.101] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.101] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9688 [0269.101] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9760 [0269.101] SystemFunction036 (in: RandomBuffer=0x28d9688, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9688) returned 1 [0269.101] SystemFunction036 (in: RandomBuffer=0x28d9760, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9760) returned 1 [0269.101] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8650 [0269.101] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d79f0 [0269.101] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8650*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8650*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.101] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d79f0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d79f0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.101] GetTickCount () returned 0x1183798 [0269.101] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.102] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.102] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.102] SetLastError (dwErrCode=0x0) [0269.102] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.102] GetLastError () returned 0x6 [0269.102] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.102] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.102] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.103] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.103] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.103] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.103] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.103] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.103] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.103] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.103] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.104] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d95b0 [0269.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9550 [0269.104] SystemFunction036 (in: RandomBuffer=0x28d95b0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d95b0) returned 1 [0269.104] SystemFunction036 (in: RandomBuffer=0x28d9550, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9550) returned 1 [0269.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8968 [0269.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8128 [0269.104] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8968*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8968*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.104] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8128*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8128*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.105] GetTickCount () returned 0x11837a8 [0269.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.105] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.105] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.105] SetLastError (dwErrCode=0x0) [0269.105] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8968, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.105] GetLastError () returned 0x6 [0269.105] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.105] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.105] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0269.105] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.105] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.105] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.105] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="it-IT", cAlternateFileName="")) returned 1 [0269.105] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0269.105] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0269.105] lstrcmpiW (lpString1="it-IT", lpString2="...") returned 1 [0269.105] lstrcmpiW (lpString1="it-IT", lpString2="windows") returned -1 [0269.105] lstrcmpiW (lpString1="it-IT", lpString2="$RECYCLE.BIN") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="rsa") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="NTDETECT.COM") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="ntldr") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="MSDOS.SYS") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="IO.SYS") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="boot.ini") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="AUTOEXEC.BAT") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="ntuser.dat") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="desktop.ini") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="CONFIG.SYS") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="RECYCLER") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="BOOTSECT.BAK") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="bootmgr") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="programdata") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="appdata") returned 1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="program files") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="program files (x86)") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="microsoft") returned -1 [0269.106] lstrcmpiW (lpString1="it-IT", lpString2="sophos") returned -1 [0269.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.106] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0269.107] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.107] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.107] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.107] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.107] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.108] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.108] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.108] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.109] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.109] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d96a0 [0269.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9700 [0269.109] SystemFunction036 (in: RandomBuffer=0x28d96a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d96a0) returned 1 [0269.109] SystemFunction036 (in: RandomBuffer=0x28d9700, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9700) returned 1 [0269.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8d88 [0269.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7f18 [0269.109] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8d88*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8d88*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.109] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7f18*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d7f18*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.110] GetTickCount () returned 0x11837a8 [0269.110] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.110] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.110] SetLastError (dwErrCode=0x0) [0269.110] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8d88, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.110] GetLastError () returned 0x6 [0269.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.110] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.110] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.111] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.111] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.111] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.111] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.113] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.113] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d96d0 [0269.113] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d95c8 [0269.113] SystemFunction036 (in: RandomBuffer=0x28d96d0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d96d0) returned 1 [0269.113] SystemFunction036 (in: RandomBuffer=0x28d95c8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d95c8) returned 1 [0269.113] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d7c00 [0269.113] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8e90 [0269.113] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d7c00*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d7c00*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.113] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8e90*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8e90*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.114] GetTickCount () returned 0x11837a8 [0269.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.114] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.114] SetLastError (dwErrCode=0x0) [0269.114] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d7c00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.114] GetLastError () returned 0x6 [0269.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.114] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.114] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0269.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.114] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2="...") returned 1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2="windows") returned -1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2="$RECYCLE.BIN") returned 1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2="rsa") returned -1 [0269.114] lstrcmpiW (lpString1="ja-JP", lpString2="NTDETECT.COM") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="ntldr") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="MSDOS.SYS") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="IO.SYS") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="boot.ini") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="AUTOEXEC.BAT") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="ntuser.dat") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="desktop.ini") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="CONFIG.SYS") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="RECYCLER") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="BOOTSECT.BAK") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="bootmgr") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="programdata") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="appdata") returned 1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="program files") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="program files (x86)") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="microsoft") returned -1 [0269.115] lstrcmpiW (lpString1="ja-JP", lpString2="sophos") returned -1 [0269.115] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.115] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.115] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.115] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.115] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.115] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0269.116] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.116] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.116] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.116] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.116] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.116] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.117] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.117] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.117] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.117] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.117] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.117] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.117] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.117] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.117] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9718 [0269.117] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d96e8 [0269.118] SystemFunction036 (in: RandomBuffer=0x28d9718, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9718) returned 1 [0269.118] SystemFunction036 (in: RandomBuffer=0x28d96e8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d96e8) returned 1 [0269.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8230 [0269.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d75d0 [0269.118] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8230*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8230*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.118] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d75d0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d75d0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.118] GetTickCount () returned 0x11837a8 [0269.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.118] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.118] SetLastError (dwErrCode=0x0) [0269.118] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8230, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.118] GetLastError () returned 0x6 [0269.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.118] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.119] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.119] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.119] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.119] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.120] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.120] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.120] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.120] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.121] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.121] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d95e0 [0269.121] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9508 [0269.121] SystemFunction036 (in: RandomBuffer=0x28d95e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d95e0) returned 1 [0269.121] SystemFunction036 (in: RandomBuffer=0x28d9508, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9508) returned 1 [0269.121] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d76d8 [0269.121] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8338 [0269.121] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d76d8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d76d8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.121] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8338*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8338*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.121] GetTickCount () returned 0x11837b7 [0269.121] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.121] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.121] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.121] SetLastError (dwErrCode=0x0) [0269.122] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d76d8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.122] GetLastError () returned 0x6 [0269.122] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.122] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.122] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0269.122] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.122] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.122] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.122] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="...") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="windows") returned -1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="$RECYCLE.BIN") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="rsa") returned -1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="NTDETECT.COM") returned -1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="ntldr") returned -1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="MSDOS.SYS") returned -1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="IO.SYS") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="boot.ini") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="AUTOEXEC.BAT") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="ntuser.dat") returned -1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="desktop.ini") returned 1 [0269.122] lstrcmpiW (lpString1="ko-KR", lpString2="CONFIG.SYS") returned 1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="RECYCLER") returned -1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="BOOTSECT.BAK") returned 1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="bootmgr") returned 1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="programdata") returned -1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="appdata") returned 1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="program files") returned -1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="program files (x86)") returned -1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="microsoft") returned -1 [0269.123] lstrcmpiW (lpString1="ko-KR", lpString2="sophos") returned -1 [0269.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.123] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.123] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0269.124] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.124] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.124] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.124] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.124] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.125] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.125] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.125] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.125] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.125] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.125] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.125] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.126] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.126] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.126] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d95f8 [0269.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9610 [0269.126] SystemFunction036 (in: RandomBuffer=0x28d95f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d95f8) returned 1 [0269.126] SystemFunction036 (in: RandomBuffer=0x28d9610, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9610) returned 1 [0269.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8f98 [0269.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8440 [0269.127] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8f98*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8f98*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.127] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8440*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d8440*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.127] GetTickCount () returned 0x11837b7 [0269.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d98b0 [0269.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d98b0 | out: hHeap=0x28d0000) returned 1 [0269.127] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.128] SetLastError (dwErrCode=0x0) [0269.128] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8f98, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.128] GetLastError () returned 0x6 [0269.128] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.128] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.128] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.129] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.129] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.129] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.129] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.130] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.130] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.130] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9730 [0269.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9748 [0269.130] SystemFunction036 (in: RandomBuffer=0x28d9730, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9730) returned 1 [0269.130] SystemFunction036 (in: RandomBuffer=0x28d9748, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9748) returned 1 [0269.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d8548 [0269.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da220 [0269.130] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8548*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d8548*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.131] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da220*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da220*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.131] GetTickCount () returned 0x11837b7 [0269.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.131] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.131] SetLastError (dwErrCode=0x0) [0269.131] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d8548, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.131] GetLastError () returned 0x6 [0269.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.131] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.132] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0269.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.132] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2=".") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="..") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="...") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="windows") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="$RECYCLE.BIN") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="rsa") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="NTDETECT.COM") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="ntldr") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="MSDOS.SYS") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="IO.SYS") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="boot.ini") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="AUTOEXEC.BAT") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="ntuser.dat") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="desktop.ini") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="CONFIG.SYS") returned 1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="RECYCLER") returned -1 [0269.132] lstrcmpiW (lpString1="lt-LT", lpString2="BOOTSECT.BAK") returned 1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="bootmgr") returned 1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="programdata") returned -1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="appdata") returned 1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="program files") returned -1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="program files (x86)") returned -1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="microsoft") returned -1 [0269.133] lstrcmpiW (lpString1="lt-LT", lpString2="sophos") returned -1 [0269.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.133] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.133] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f4a0 [0269.133] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.133] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.133] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.133] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.134] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.135] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.135] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.135] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.135] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.135] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.136] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.141] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d97a8 [0269.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d97c0 [0269.141] SystemFunction036 (in: RandomBuffer=0x28d97a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d97a8) returned 1 [0269.141] SystemFunction036 (in: RandomBuffer=0x28d97c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d97c0) returned 1 [0269.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d9cf8 [0269.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da010 [0269.141] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d9cf8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d9cf8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.141] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da010*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da010*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.142] GetTickCount () returned 0x11837d7 [0269.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.142] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.142] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.142] SetLastError (dwErrCode=0x0) [0269.142] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d9cf8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.142] GetLastError () returned 0x6 [0269.142] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.142] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.142] FindClose (in: hFindFile=0xa2f4a0 | out: hFindFile=0xa2f4a0) returned 1 [0269.142] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.142] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.143] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2=".") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="..") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="...") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="windows") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="$RECYCLE.BIN") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="rsa") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="NTDETECT.COM") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="ntldr") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="MSDOS.SYS") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="IO.SYS") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="boot.ini") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="AUTOEXEC.BAT") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="ntuser.dat") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="desktop.ini") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="CONFIG.SYS") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="RECYCLER") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="BOOTSECT.BAK") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="bootmgr") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="programdata") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="appdata") returned 1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="program files") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="program files (x86)") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="microsoft") returned -1 [0269.143] lstrcmpiW (lpString1="lv-LV", lpString2="sophos") returned -1 [0269.143] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.144] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.144] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.144] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.144] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.144] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0269.144] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.144] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.144] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.144] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.144] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.144] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.145] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.145] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.145] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.146] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.146] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.146] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d94d8 [0269.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9898 [0269.146] SystemFunction036 (in: RandomBuffer=0x28d94d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d94d8) returned 1 [0269.146] SystemFunction036 (in: RandomBuffer=0x28d9898, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9898) returned 1 [0269.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28daf88 [0269.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dab68 [0269.146] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28daf88*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28daf88*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.147] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dab68*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dab68*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.147] GetTickCount () returned 0x11837d7 [0269.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.147] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.147] SetLastError (dwErrCode=0x0) [0269.147] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28daf88, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.147] GetLastError () returned 0x6 [0269.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.148] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.148] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0269.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.148] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2=".") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="..") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="...") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="windows") returned -1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="$RECYCLE.BIN") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="rsa") returned -1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="NTDETECT.COM") returned -1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="ntldr") returned -1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="MSDOS.SYS") returned -1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="IO.SYS") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="boot.ini") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="AUTOEXEC.BAT") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="ntuser.dat") returned -1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="desktop.ini") returned 1 [0269.148] lstrcmpiW (lpString1="memtest.exe", lpString2="CONFIG.SYS") returned 1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="RECYCLER") returned -1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="BOOTSECT.BAK") returned 1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="bootmgr") returned 1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="programdata") returned -1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="appdata") returned 1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="program files") returned -1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="program files (x86)") returned -1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="microsoft") returned -1 [0269.149] lstrcmpiW (lpString1="memtest.exe", lpString2="sophos") returned -1 [0269.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.149] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.149] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0269.149] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0269.149] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="...") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="windows") returned -1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="$RECYCLE.BIN") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="rsa") returned -1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="NTDETECT.COM") returned -1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="ntldr") returned -1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="MSDOS.SYS") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="IO.SYS") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="boot.ini") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="AUTOEXEC.BAT") returned 1 [0269.149] lstrcmpiW (lpString1="nb-NO", lpString2="ntuser.dat") returned -1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="desktop.ini") returned 1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="CONFIG.SYS") returned 1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="RECYCLER") returned -1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="BOOTSECT.BAK") returned 1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="bootmgr") returned 1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="programdata") returned -1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="appdata") returned 1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="program files") returned -1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="program files (x86)") returned -1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="microsoft") returned 1 [0269.150] lstrcmpiW (lpString1="nb-NO", lpString2="sophos") returned -1 [0269.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.150] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.150] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0269.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.151] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.152] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.153] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.153] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.153] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.153] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.153] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.153] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.153] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.154] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.154] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9808 [0269.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9880 [0269.154] SystemFunction036 (in: RandomBuffer=0x28d9808, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9808) returned 1 [0269.154] SystemFunction036 (in: RandomBuffer=0x28d9880, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9880) returned 1 [0269.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db198 [0269.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da328 [0269.154] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db198*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28db198*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.155] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da328*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da328*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.155] GetTickCount () returned 0x11837d7 [0269.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.155] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.155] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.155] SetLastError (dwErrCode=0x0) [0269.155] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28db198, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.155] GetLastError () returned 0x6 [0269.155] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.155] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.155] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.155] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.156] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.156] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.156] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.157] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.157] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.157] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.157] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d97d8 [0269.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9850 [0269.157] SystemFunction036 (in: RandomBuffer=0x28d97d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28d97d8) returned 1 [0269.158] SystemFunction036 (in: RandomBuffer=0x28d9850, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9850) returned 1 [0269.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da748 [0269.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da430 [0269.158] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da748*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28da748*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.158] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da430*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da430*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.158] GetTickCount () returned 0x11837d7 [0269.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.159] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.159] SetLastError (dwErrCode=0x0) [0269.159] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28da748, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.159] GetLastError () returned 0x6 [0269.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.159] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.159] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0269.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.159] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0269.159] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0269.159] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0269.159] lstrcmpiW (lpString1="nl-NL", lpString2="...") returned 1 [0269.159] lstrcmpiW (lpString1="nl-NL", lpString2="windows") returned -1 [0269.159] lstrcmpiW (lpString1="nl-NL", lpString2="$RECYCLE.BIN") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="rsa") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="NTDETECT.COM") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="ntldr") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="MSDOS.SYS") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="IO.SYS") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="boot.ini") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="AUTOEXEC.BAT") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="ntuser.dat") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="desktop.ini") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="CONFIG.SYS") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="RECYCLER") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="BOOTSECT.BAK") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="bootmgr") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="programdata") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="appdata") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="program files") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="program files (x86)") returned -1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="microsoft") returned 1 [0269.160] lstrcmpiW (lpString1="nl-NL", lpString2="sophos") returned -1 [0269.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.160] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0269.161] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.161] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.161] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.161] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.162] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.162] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.171] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.171] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.171] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.171] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.173] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d97f0 [0269.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9838 [0269.173] SystemFunction036 (in: RandomBuffer=0x28d97f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28d97f0) returned 1 [0269.173] SystemFunction036 (in: RandomBuffer=0x28d9838, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9838) returned 1 [0269.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db4b0 [0269.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dac70 [0269.173] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db4b0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28db4b0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.174] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dac70*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dac70*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.174] GetTickCount () returned 0x11837f6 [0269.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.174] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.174] SetLastError (dwErrCode=0x0) [0269.174] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28db4b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.174] GetLastError () returned 0x6 [0269.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.174] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.175] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.176] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.176] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.176] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.176] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.176] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.176] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.177] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9868 [0269.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28d9820 [0269.177] SystemFunction036 (in: RandomBuffer=0x28d9868, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9868) returned 1 [0269.177] SystemFunction036 (in: RandomBuffer=0x28d9820, RandomBufferLength=0x10 | out: RandomBuffer=0x28d9820) returned 1 [0269.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db3a8 [0269.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da538 [0269.177] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db3a8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28db3a8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.178] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da538*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da538*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.178] GetTickCount () returned 0x11837f6 [0269.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28db8b8 [0269.178] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28db8b8 | out: hHeap=0x28d0000) returned 1 [0269.178] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.178] SetLastError (dwErrCode=0x0) [0269.178] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28db3a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.178] GetLastError () returned 0x6 [0269.178] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.178] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.179] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0269.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.179] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="...") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="windows") returned -1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="$RECYCLE.BIN") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="rsa") returned -1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="NTDETECT.COM") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="ntldr") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="MSDOS.SYS") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="IO.SYS") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="boot.ini") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="AUTOEXEC.BAT") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="ntuser.dat") returned 1 [0269.179] lstrcmpiW (lpString1="pl-PL", lpString2="desktop.ini") returned 1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="CONFIG.SYS") returned 1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="RECYCLER") returned -1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="BOOTSECT.BAK") returned 1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="bootmgr") returned 1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="programdata") returned -1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="appdata") returned 1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="program files") returned -1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="program files (x86)") returned -1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="microsoft") returned 1 [0269.180] lstrcmpiW (lpString1="pl-PL", lpString2="sophos") returned -1 [0269.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.180] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0269.181] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.181] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.181] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.181] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.181] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.182] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.182] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.182] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.182] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.182] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.182] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.184] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.185] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.185] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.185] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.185] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.185] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbb10 [0269.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba08 [0269.185] SystemFunction036 (in: RandomBuffer=0x28dbb10, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbb10) returned 1 [0269.185] SystemFunction036 (in: RandomBuffer=0x28dba08, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba08) returned 1 [0269.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d9ae8 [0269.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db090 [0269.185] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d9ae8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d9ae8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.186] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db090*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28db090*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.186] GetTickCount () returned 0x11837f6 [0269.186] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.186] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.186] SetLastError (dwErrCode=0x0) [0269.186] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d9ae8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.186] GetLastError () returned 0x6 [0269.187] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.187] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.187] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.188] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.188] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.188] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.188] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.188] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.188] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.188] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.189] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.190] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbba0 [0269.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db900 [0269.190] SystemFunction036 (in: RandomBuffer=0x28dbba0, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbba0) returned 1 [0269.190] SystemFunction036 (in: RandomBuffer=0x28db900, RandomBufferLength=0x10 | out: RandomBuffer=0x28db900) returned 1 [0269.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d9e00 [0269.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db5b8 [0269.190] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d9e00*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d9e00*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.191] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db5b8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28db5b8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.191] GetTickCount () returned 0x11837f6 [0269.191] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.191] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.191] SetLastError (dwErrCode=0x0) [0269.191] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d9e00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.191] GetLastError () returned 0x6 [0269.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.192] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.192] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0269.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.192] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="rsa") returned -1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="NTDETECT.COM") returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="ntldr") returned 1 [0269.192] lstrcmpiW (lpString1="pt-BR", lpString2="MSDOS.SYS") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="IO.SYS") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="boot.ini") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="AUTOEXEC.BAT") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="ntuser.dat") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="desktop.ini") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="CONFIG.SYS") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="RECYCLER") returned -1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="BOOTSECT.BAK") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="bootmgr") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="programdata") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="appdata") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="program files") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="program files (x86)") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="microsoft") returned 1 [0269.193] lstrcmpiW (lpString1="pt-BR", lpString2="sophos") returned -1 [0269.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.193] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.193] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0269.194] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.194] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.194] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.194] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.194] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.195] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.195] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.195] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.195] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.195] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.195] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.195] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.195] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.196] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.196] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.196] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.196] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.197] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbb70 [0269.197] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db9a8 [0269.197] SystemFunction036 (in: RandomBuffer=0x28dbb70, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbb70) returned 1 [0269.197] SystemFunction036 (in: RandomBuffer=0x28db9a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28db9a8) returned 1 [0269.197] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da118 [0269.197] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d9f08 [0269.197] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da118*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28da118*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.197] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d9f08*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d9f08*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.198] GetTickCount () returned 0x11837f6 [0269.198] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.198] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.198] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.198] SetLastError (dwErrCode=0x0) [0269.198] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28da118, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.198] GetLastError () returned 0x6 [0269.198] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.198] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.199] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.200] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.200] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.200] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.200] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.200] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.200] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.201] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.201] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbab0 [0269.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db9c0 [0269.201] SystemFunction036 (in: RandomBuffer=0x28dbab0, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbab0) returned 1 [0269.201] SystemFunction036 (in: RandomBuffer=0x28db9c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28db9c0) returned 1 [0269.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dae80 [0269.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db6c0 [0269.201] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dae80*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dae80*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.203] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db6c0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28db6c0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.205] GetTickCount () returned 0x1183805 [0269.205] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.205] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.205] SetLastError (dwErrCode=0x0) [0269.206] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dae80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.206] GetLastError () returned 0x6 [0269.206] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.206] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.206] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0269.206] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.206] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.206] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.206] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0269.206] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0269.206] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0269.206] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0269.206] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="rsa") returned -1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="NTDETECT.COM") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="ntldr") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="MSDOS.SYS") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="IO.SYS") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="boot.ini") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="AUTOEXEC.BAT") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="ntuser.dat") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="desktop.ini") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="CONFIG.SYS") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="RECYCLER") returned -1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="BOOTSECT.BAK") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="bootmgr") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="programdata") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="appdata") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="program files") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="program files (x86)") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="microsoft") returned 1 [0269.207] lstrcmpiW (lpString1="pt-PT", lpString2="sophos") returned -1 [0269.208] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.208] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.208] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.208] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.208] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f360 [0269.209] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.209] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.209] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.209] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.209] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.209] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.209] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.209] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.211] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.211] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.211] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.211] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.211] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.211] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.212] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.212] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.212] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.212] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbae0 [0269.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbb58 [0269.212] SystemFunction036 (in: RandomBuffer=0x28dbae0, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbae0) returned 1 [0269.212] SystemFunction036 (in: RandomBuffer=0x28dbb58, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbb58) returned 1 [0269.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d99e0 [0269.213] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da850 [0269.213] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d99e0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28d99e0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.213] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da850*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da850*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.214] GetTickCount () returned 0x1183815 [0269.214] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.214] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.214] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.214] SetLastError (dwErrCode=0x0) [0269.214] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28d99e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.214] GetLastError () returned 0x6 [0269.214] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.214] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.214] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.214] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.214] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.214] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.214] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.215] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.215] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.216] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.216] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.216] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.216] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.216] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.217] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.217] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.217] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db960 [0269.217] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db9d8 [0269.217] SystemFunction036 (in: RandomBuffer=0x28db960, RandomBufferLength=0x10 | out: RandomBuffer=0x28db960) returned 1 [0269.217] SystemFunction036 (in: RandomBuffer=0x28db9d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28db9d8) returned 1 [0269.217] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da958 [0269.217] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d9bf0 [0269.217] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da958*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28da958*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.219] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d9bf0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d9bf0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.221] GetTickCount () returned 0x1183815 [0269.221] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.221] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.221] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.221] SetLastError (dwErrCode=0x0) [0269.221] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28da958, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.221] GetLastError () returned 0x6 [0269.221] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.221] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.222] FindClose (in: hFindFile=0xa2f360 | out: hFindFile=0xa2f360) returned 1 [0269.222] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.222] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.222] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.222] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2=".") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="..") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="...") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="windows") returned -1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="$RECYCLE.BIN") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="rsa") returned -1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="NTDETECT.COM") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="ntldr") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="MSDOS.SYS") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="IO.SYS") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="boot.ini") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="AUTOEXEC.BAT") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="ntuser.dat") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="desktop.ini") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="CONFIG.SYS") returned 1 [0269.222] lstrcmpiW (lpString1="qps-ploc", lpString2="RECYCLER") returned -1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="BOOTSECT.BAK") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="bootmgr") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="programdata") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="appdata") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="program files") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="program files (x86)") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="microsoft") returned 1 [0269.223] lstrcmpiW (lpString1="qps-ploc", lpString2="sophos") returned -1 [0269.223] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.223] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.223] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.223] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.223] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.223] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0269.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.223] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.224] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.225] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd30 [0269.225] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.225] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.225] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.225] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd88 [0269.226] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.228] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.228] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db9f0 [0269.228] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbb40 [0269.228] SystemFunction036 (in: RandomBuffer=0x28db9f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28db9f0) returned 1 [0269.228] SystemFunction036 (in: RandomBuffer=0x28dbb40, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbb40) returned 1 [0269.228] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28daa60 [0269.228] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28da640 [0269.228] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28daa60*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28daa60*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.229] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28da640*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28da640*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.229] GetTickCount () returned 0x1183815 [0269.229] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.229] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.229] SetLastError (dwErrCode=0x0) [0269.230] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28daa60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.230] GetLastError () returned 0x6 [0269.230] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0269.230] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.230] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd88 [0269.231] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd30 | out: hHeap=0x28d0000) returned 1 [0269.231] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.231] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcf8 [0269.232] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.232] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbb88 [0269.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba20 [0269.232] SystemFunction036 (in: RandomBuffer=0x28dbb88, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbb88) returned 1 [0269.232] SystemFunction036 (in: RandomBuffer=0x28dba20, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba20) returned 1 [0269.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28db2a0 [0269.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28d98d8 [0269.232] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db2a0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28db2a0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.234] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d98d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28d98d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.236] GetTickCount () returned 0x1183825 [0269.236] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd50 [0269.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0269.236] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.236] SetLastError (dwErrCode=0x0) [0269.236] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28db2a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.236] GetLastError () returned 0x6 [0269.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.236] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.236] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0269.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0269.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.237] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2=".") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="..") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="...") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="windows") returned -1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="$RECYCLE.BIN") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="rsa") returned -1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="NTDETECT.COM") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="ntldr") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="MSDOS.SYS") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="IO.SYS") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="boot.ini") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="AUTOEXEC.BAT") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="ntuser.dat") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="desktop.ini") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="CONFIG.SYS") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="RECYCLER") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="BOOTSECT.BAK") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="bootmgr") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="programdata") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="appdata") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="program files") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="program files (x86)") returned 1 [0269.237] lstrcmpiW (lpString1="Resources", lpString2="microsoft") returned 1 [0269.238] lstrcmpiW (lpString1="Resources", lpString2="sophos") returned -1 [0269.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.238] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.238] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0269.239] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.239] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.239] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2=".") returned 1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="..") returned 1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="...") returned 1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="windows") returned -1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="$RECYCLE.BIN") returned 1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="rsa") returned -1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="NTDETECT.COM") returned -1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="ntldr") returned -1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="MSDOS.SYS") returned -1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="IO.SYS") returned -1 [0269.239] lstrcmpiW (lpString1="bootres.dll", lpString2="boot.ini") returned 1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="AUTOEXEC.BAT") returned 1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="ntuser.dat") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="desktop.ini") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="CONFIG.SYS") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="RECYCLER") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="BOOTSECT.BAK") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="bootmgr") returned 1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="programdata") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="appdata") returned 1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="program files") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="program files (x86)") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="microsoft") returned -1 [0269.240] lstrcmpiW (lpString1="bootres.dll", lpString2="sophos") returned -1 [0269.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd30 [0269.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.240] PathFindExtensionW (pszPath="bootres.dll") returned=".dll" [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0269.240] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0269.240] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="en-US", cAlternateFileName="")) returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="microsoft") returned -1 [0269.241] lstrcmpiW (lpString1="en-US", lpString2="sophos") returned -1 [0269.241] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.242] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28dbd78 [0269.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd30 | out: hHeap=0x28d0000) returned 1 [0269.242] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcf8 [0269.242] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdc8 [0269.242] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe10 [0269.242] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0269.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.242] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.242] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.242] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.242] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0269.242] lstrcmpiW (lpString1="bootres.dll.mui", lpString2=".") returned 1 [0269.242] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="..") returned 1 [0269.242] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="...") returned 1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="windows") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="rsa") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="NTDETECT.COM") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="ntldr") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="MSDOS.SYS") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="IO.SYS") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="boot.ini") returned 1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="ntuser.dat") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="desktop.ini") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="CONFIG.SYS") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="RECYCLER") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="bootmgr") returned 1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="programdata") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="appdata") returned 1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="program files") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="program files (x86)") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="microsoft") returned -1 [0269.243] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="sophos") returned -1 [0269.243] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe58 [0269.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0269.243] PathFindExtensionW (pszPath="bootres.dll.mui") returned=".mui" [0269.243] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.244] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.244] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbeb0 [0269.244] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.244] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=440599260887424) returned 0 [0269.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbbb8 [0269.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba38 [0269.245] SystemFunction036 (in: RandomBuffer=0x28dbbb8, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbbb8) returned 1 [0269.245] SystemFunction036 (in: RandomBuffer=0x28dba38, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba38) returned 1 [0269.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dad78 [0269.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc140 [0269.245] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dad78*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x28dad78*, pdwDataLen=0x26eec08*=0x100) returned 1 [0269.246] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc140*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x28dc140*, pdwDataLen=0x26eec04*=0x100) returned 1 [0269.247] GetTickCount () returned 0x1183834 [0269.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd40 [0269.247] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0269.247] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.247] SetLastError (dwErrCode=0x0) [0269.247] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dad78, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0) returned 0 [0269.248] GetLastError () returned 0x6 [0269.248] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbeb0 | out: hHeap=0x28d0000) returned 1 [0269.248] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0269.248] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0269.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0269.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdc8 | out: hHeap=0x28d0000) returned 1 [0269.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.249] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="en-US", cAlternateFileName="")) returned 0 [0269.249] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0269.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd78 | out: hHeap=0x28d0000) returned 1 [0269.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.249] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.250] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2=".") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="..") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="...") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="windows") returned -1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="$RECYCLE.BIN") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="rsa") returned -1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="NTDETECT.COM") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="ntldr") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="MSDOS.SYS") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="IO.SYS") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="boot.ini") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="AUTOEXEC.BAT") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="ntuser.dat") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="desktop.ini") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="CONFIG.SYS") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="RECYCLER") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="BOOTSECT.BAK") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="bootmgr") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="programdata") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="appdata") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="program files") returned 1 [0269.250] lstrcmpiW (lpString1="ro-RO", lpString2="program files (x86)") returned 1 [0269.251] lstrcmpiW (lpString1="ro-RO", lpString2="microsoft") returned 1 [0269.251] lstrcmpiW (lpString1="ro-RO", lpString2="sophos") returned -1 [0269.251] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.251] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.251] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.251] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.251] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.251] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0269.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.251] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.251] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.251] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.251] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.252] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.252] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.253] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.253] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.253] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.253] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.254] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba50 [0269.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbbd0 [0269.254] SystemFunction036 (in: RandomBuffer=0x28dba50, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba50) returned 1 [0269.254] SystemFunction036 (in: RandomBuffer=0x28dbbd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbbd0) returned 1 [0269.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dcb90 [0269.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc770 [0269.254] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dcb90*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dcb90*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.255] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc770*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dc770*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.255] GetTickCount () returned 0x1183834 [0269.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.255] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.255] SetLastError (dwErrCode=0x0) [0269.255] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dcb90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.255] GetLastError () returned 0x6 [0269.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.255] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.256] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0269.256] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.256] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.256] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.256] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="...") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="windows") returned -1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="$RECYCLE.BIN") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="rsa") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="NTDETECT.COM") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="ntldr") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="MSDOS.SYS") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="IO.SYS") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="boot.ini") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="AUTOEXEC.BAT") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="ntuser.dat") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="desktop.ini") returned 1 [0269.256] lstrcmpiW (lpString1="ru-RU", lpString2="CONFIG.SYS") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="RECYCLER") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="BOOTSECT.BAK") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="bootmgr") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="programdata") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="appdata") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="program files") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="program files (x86)") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="microsoft") returned 1 [0269.257] lstrcmpiW (lpString1="ru-RU", lpString2="sophos") returned -1 [0269.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.257] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.257] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0269.258] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.258] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.258] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.258] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.258] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.259] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.259] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.260] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.260] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.260] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.260] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.262] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.262] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db918 [0269.263] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba68 [0269.263] SystemFunction036 (in: RandomBuffer=0x28db918, RandomBufferLength=0x10 | out: RandomBuffer=0x28db918) returned 1 [0269.263] SystemFunction036 (in: RandomBuffer=0x28dba68, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba68) returned 1 [0269.263] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc038 [0269.263] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd5e0 [0269.263] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc038*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dc038*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.263] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd5e0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dd5e0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.265] GetTickCount () returned 0x1183844 [0269.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.265] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.265] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.265] SetLastError (dwErrCode=0x0) [0269.265] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dc038, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.265] GetLastError () returned 0x6 [0269.265] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.265] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.265] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.265] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.265] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.265] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.265] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.266] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.266] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.266] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.266] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.267] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.267] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.267] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.268] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.268] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba98 [0269.268] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db990 [0269.268] SystemFunction036 (in: RandomBuffer=0x28dba98, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba98) returned 1 [0269.268] SystemFunction036 (in: RandomBuffer=0x28db990, RandomBufferLength=0x10 | out: RandomBuffer=0x28db990) returned 1 [0269.268] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dcda0 [0269.268] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dcfb0 [0269.268] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dcda0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dcda0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.270] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dcfb0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dcfb0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.270] GetTickCount () returned 0x1183844 [0269.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.270] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.270] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.271] SetLastError (dwErrCode=0x0) [0269.271] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dcda0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.271] GetLastError () returned 0x6 [0269.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.271] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.271] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0269.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.271] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0269.271] lstrcmpiW (lpString1="sk-SK", lpString2=".") returned 1 [0269.271] lstrcmpiW (lpString1="sk-SK", lpString2="..") returned 1 [0269.271] lstrcmpiW (lpString1="sk-SK", lpString2="...") returned 1 [0269.271] lstrcmpiW (lpString1="sk-SK", lpString2="windows") returned -1 [0269.271] lstrcmpiW (lpString1="sk-SK", lpString2="$RECYCLE.BIN") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="rsa") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="NTDETECT.COM") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="ntldr") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="MSDOS.SYS") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="IO.SYS") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="boot.ini") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="AUTOEXEC.BAT") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="ntuser.dat") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="desktop.ini") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="CONFIG.SYS") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="RECYCLER") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="BOOTSECT.BAK") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="bootmgr") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="programdata") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="appdata") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="program files") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="program files (x86)") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="microsoft") returned 1 [0269.272] lstrcmpiW (lpString1="sk-SK", lpString2="sophos") returned -1 [0269.272] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.272] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.272] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.273] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.273] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0269.273] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.273] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.273] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.273] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.273] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.273] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.273] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.273] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.273] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.273] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.273] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.274] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.274] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.275] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.275] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.275] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.277] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db8e8 [0269.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbac8 [0269.277] SystemFunction036 (in: RandomBuffer=0x28db8e8, RandomBufferLength=0x10 | out: RandomBuffer=0x28db8e8) returned 1 [0269.277] SystemFunction036 (in: RandomBuffer=0x28dbac8, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbac8) returned 1 [0269.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc350 [0269.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dca88 [0269.277] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc350*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dc350*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.277] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dca88*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dca88*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.279] GetTickCount () returned 0x1183854 [0269.279] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.279] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.279] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.279] SetLastError (dwErrCode=0x0) [0269.279] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dc350, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.280] GetLastError () returned 0x6 [0269.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.280] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.280] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0269.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.281] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0269.281] lstrcmpiW (lpString1="sl-SI", lpString2=".") returned 1 [0269.281] lstrcmpiW (lpString1="sl-SI", lpString2="..") returned 1 [0269.281] lstrcmpiW (lpString1="sl-SI", lpString2="...") returned 1 [0269.281] lstrcmpiW (lpString1="sl-SI", lpString2="windows") returned -1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="$RECYCLE.BIN") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="rsa") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="NTDETECT.COM") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="ntldr") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="MSDOS.SYS") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="IO.SYS") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="boot.ini") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="AUTOEXEC.BAT") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="ntuser.dat") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="desktop.ini") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="CONFIG.SYS") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="RECYCLER") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="BOOTSECT.BAK") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="bootmgr") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="programdata") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="appdata") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="program files") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="program files (x86)") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="microsoft") returned 1 [0269.282] lstrcmpiW (lpString1="sl-SI", lpString2="sophos") returned -1 [0269.282] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.282] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.282] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.282] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.283] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.283] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0269.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.283] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.283] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.283] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.283] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.284] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.284] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.284] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.284] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.284] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.284] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.284] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.285] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.285] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.285] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.285] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.285] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.286] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dba80 [0269.286] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbaf8 [0269.286] SystemFunction036 (in: RandomBuffer=0x28dba80, RandomBufferLength=0x10 | out: RandomBuffer=0x28dba80) returned 1 [0269.286] SystemFunction036 (in: RandomBuffer=0x28dbaf8, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbaf8) returned 1 [0269.286] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dbf30 [0269.286] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dcc98 [0269.286] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dbf30*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dbf30*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.288] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dcc98*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dcc98*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.290] GetTickCount () returned 0x1183854 [0269.290] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.290] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.290] SetLastError (dwErrCode=0x0) [0269.290] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dbf30, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.290] GetLastError () returned 0x6 [0269.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.290] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.290] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0269.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.291] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="...") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="windows") returned -1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$RECYCLE.BIN") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="rsa") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="NTDETECT.COM") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="ntldr") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="MSDOS.SYS") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="IO.SYS") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="boot.ini") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="AUTOEXEC.BAT") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="ntuser.dat") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="desktop.ini") returned 1 [0269.291] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="CONFIG.SYS") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="RECYCLER") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="BOOTSECT.BAK") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="bootmgr") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="programdata") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="appdata") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="program files") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="program files (x86)") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="microsoft") returned 1 [0269.292] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="sophos") returned 1 [0269.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.293] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0269.293] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.293] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.293] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.293] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.293] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.293] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd30 [0269.294] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.294] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.294] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.294] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.294] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.294] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.294] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.294] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.295] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.295] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd88 [0269.295] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.297] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbb28 [0269.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db930 [0269.297] SystemFunction036 (in: RandomBuffer=0x28dbb28, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbb28) returned 1 [0269.297] SystemFunction036 (in: RandomBuffer=0x28db930, RandomBufferLength=0x10 | out: RandomBuffer=0x28db930) returned 1 [0269.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd7f0 [0269.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc458 [0269.297] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd7f0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dd7f0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.297] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc458*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dc458*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.298] GetTickCount () returned 0x1183863 [0269.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.298] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.298] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.298] SetLastError (dwErrCode=0x0) [0269.298] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dd7f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.298] GetLastError () returned 0x6 [0269.298] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0269.298] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.298] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.298] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.298] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.298] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.298] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.299] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd88 [0269.299] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd30 | out: hHeap=0x28d0000) returned 1 [0269.299] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.299] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.299] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.299] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.299] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.300] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.300] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.300] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcf8 [0269.300] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.300] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.300] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db948 [0269.300] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28db978 [0269.301] SystemFunction036 (in: RandomBuffer=0x28db948, RandomBufferLength=0x10 | out: RandomBuffer=0x28db948) returned 1 [0269.301] SystemFunction036 (in: RandomBuffer=0x28db978, RandomBufferLength=0x10 | out: RandomBuffer=0x28db978) returned 1 [0269.301] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd3d0 [0269.301] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd8f8 [0269.301] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd3d0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dd3d0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.302] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd8f8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dd8f8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.304] GetTickCount () returned 0x1183863 [0269.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd50 [0269.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0269.304] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.304] SetLastError (dwErrCode=0x0) [0269.304] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dd3d0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.305] GetLastError () returned 0x6 [0269.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.305] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.305] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0269.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0269.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.305] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="...") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="windows") returned -1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="$RECYCLE.BIN") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="rsa") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="NTDETECT.COM") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="ntldr") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="MSDOS.SYS") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="IO.SYS") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="boot.ini") returned 1 [0269.305] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="AUTOEXEC.BAT") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="ntuser.dat") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="desktop.ini") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="CONFIG.SYS") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="RECYCLER") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="BOOTSECT.BAK") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="bootmgr") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="programdata") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="appdata") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="program files") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="program files (x86)") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="microsoft") returned 1 [0269.306] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="sophos") returned 1 [0269.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.306] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.306] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0269.307] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.307] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.307] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.307] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.307] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.308] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.308] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd30 [0269.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.308] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.308] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.309] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.309] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.309] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.309] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.309] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.309] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd88 [0269.309] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.309] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc00 [0269.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbbe8 [0269.309] SystemFunction036 (in: RandomBuffer=0x28dbc00, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc00) returned 1 [0269.309] SystemFunction036 (in: RandomBuffer=0x28dbbe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbbe8) returned 1 [0269.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc560 [0269.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dcea8 [0269.309] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc560*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dc560*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.310] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dcea8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dcea8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.310] GetTickCount () returned 0x1183873 [0269.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0269.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0269.310] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.311] SetLastError (dwErrCode=0x0) [0269.311] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dc560, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.311] GetLastError () returned 0x6 [0269.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0269.311] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.311] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0269.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd30 | out: hHeap=0x28d0000) returned 1 [0269.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.311] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="...") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="windows") returned -1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="$RECYCLE.BIN") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="rsa") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="NTDETECT.COM") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="ntldr") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="MSDOS.SYS") returned 1 [0269.311] lstrcmpiW (lpString1="sv-SE", lpString2="IO.SYS") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="boot.ini") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="AUTOEXEC.BAT") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="ntuser.dat") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="desktop.ini") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="CONFIG.SYS") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="RECYCLER") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="BOOTSECT.BAK") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="bootmgr") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="programdata") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="appdata") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="program files") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="program files (x86)") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="microsoft") returned 1 [0269.312] lstrcmpiW (lpString1="sv-SE", lpString2="sophos") returned 1 [0269.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.312] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.312] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0269.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.313] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.314] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.314] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.315] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.315] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.315] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.315] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.315] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.315] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.316] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.316] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc18 [0269.316] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc60 [0269.316] SystemFunction036 (in: RandomBuffer=0x28dbc18, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc18) returned 1 [0269.316] SystemFunction036 (in: RandomBuffer=0x28dbc60, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc60) returned 1 [0269.316] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc248 [0269.316] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd4d8 [0269.316] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc248*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dc248*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.316] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd4d8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dd4d8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.318] GetTickCount () returned 0x1183873 [0269.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.318] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.318] SetLastError (dwErrCode=0x0) [0269.318] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dc248, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.318] GetLastError () returned 0x6 [0269.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.318] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.319] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.319] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.320] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.320] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.320] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.320] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.320] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.321] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc30 [0269.321] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc48 [0269.321] SystemFunction036 (in: RandomBuffer=0x28dbc30, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc30) returned 1 [0269.321] SystemFunction036 (in: RandomBuffer=0x28dbc48, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc48) returned 1 [0269.321] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc668 [0269.321] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd0b8 [0269.321] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc668*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dc668*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.323] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd0b8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dd0b8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.323] GetTickCount () returned 0x1183882 [0269.324] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.324] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.324] SetLastError (dwErrCode=0x0) [0269.324] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dc668, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.324] GetLastError () returned 0x6 [0269.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.324] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.324] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0269.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.324] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0269.324] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0269.324] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0269.324] lstrcmpiW (lpString1="tr-TR", lpString2="...") returned 1 [0269.324] lstrcmpiW (lpString1="tr-TR", lpString2="windows") returned -1 [0269.324] lstrcmpiW (lpString1="tr-TR", lpString2="$RECYCLE.BIN") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="rsa") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="NTDETECT.COM") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="ntldr") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="MSDOS.SYS") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="IO.SYS") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="boot.ini") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="AUTOEXEC.BAT") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="ntuser.dat") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="desktop.ini") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="CONFIG.SYS") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="RECYCLER") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="BOOTSECT.BAK") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="bootmgr") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="programdata") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="appdata") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="program files") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="program files (x86)") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="microsoft") returned 1 [0269.325] lstrcmpiW (lpString1="tr-TR", lpString2="sophos") returned 1 [0269.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.325] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0269.326] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.326] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.326] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.326] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.326] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.327] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.327] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.327] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.327] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.327] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.327] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.327] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.328] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.328] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.328] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.333] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc78 [0269.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbca8 [0269.334] SystemFunction036 (in: RandomBuffer=0x28dbc78, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc78) returned 1 [0269.334] SystemFunction036 (in: RandomBuffer=0x28dbca8, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbca8) returned 1 [0269.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd1c0 [0269.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc878 [0269.334] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd1c0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dd1c0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.334] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc878*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dc878*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.336] GetTickCount () returned 0x1183882 [0269.336] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.336] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.336] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.336] SetLastError (dwErrCode=0x0) [0269.336] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dd1c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.337] GetLastError () returned 0x6 [0269.337] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.337] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.337] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.338] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.338] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.338] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.338] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.338] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.338] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.338] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.339] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.339] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28dbc90 [0269.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de198 [0269.339] SystemFunction036 (in: RandomBuffer=0x28dbc90, RandomBufferLength=0x10 | out: RandomBuffer=0x28dbc90) returned 1 [0269.339] SystemFunction036 (in: RandomBuffer=0x28de198, RandomBufferLength=0x10 | out: RandomBuffer=0x28de198) returned 1 [0269.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd2c8 [0269.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dd6e8 [0269.339] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd2c8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dd2c8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.341] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd6e8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28dd6e8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.342] GetTickCount () returned 0x1183892 [0269.342] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.342] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.342] SetLastError (dwErrCode=0x0) [0269.342] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dd2c8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.342] GetLastError () returned 0x6 [0269.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.342] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.342] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0269.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.342] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0269.342] lstrcmpiW (lpString1="uk-UA", lpString2=".") returned 1 [0269.342] lstrcmpiW (lpString1="uk-UA", lpString2="..") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="...") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="windows") returned -1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="$RECYCLE.BIN") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="rsa") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="NTDETECT.COM") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="ntldr") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="MSDOS.SYS") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="IO.SYS") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="boot.ini") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="AUTOEXEC.BAT") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="ntuser.dat") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="desktop.ini") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="CONFIG.SYS") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="RECYCLER") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="BOOTSECT.BAK") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="bootmgr") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="programdata") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="appdata") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="program files") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="program files (x86)") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="microsoft") returned 1 [0269.343] lstrcmpiW (lpString1="uk-UA", lpString2="sophos") returned 1 [0269.343] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.343] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.344] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.344] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.344] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0269.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.344] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="..", cAlternateFileName="")) returned 1 [0269.344] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.344] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.344] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.344] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.344] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.344] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.344] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.344] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.344] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.345] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.346] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.346] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.346] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.347] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.347] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de1b0 [0269.347] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de228 [0269.347] SystemFunction036 (in: RandomBuffer=0x28de1b0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de1b0) returned 1 [0269.347] SystemFunction036 (in: RandomBuffer=0x28de228, RandomBufferLength=0x10 | out: RandomBuffer=0x28de228) returned 1 [0269.347] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dda00 [0269.347] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28ddc10 [0269.347] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dda00*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dda00*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.347] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28ddc10*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x28ddc10*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.349] GetTickCount () returned 0x1183892 [0269.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.349] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.349] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.350] SetLastError (dwErrCode=0x0) [0269.350] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dda00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.350] GetLastError () returned 0x6 [0269.350] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.350] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x28d20d8, dwReserved1=0x58, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0269.350] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0269.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.352] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2=".") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="..") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="...") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="windows") returned -1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="$RECYCLE.BIN") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="rsa") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="NTDETECT.COM") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="ntldr") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="MSDOS.SYS") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="IO.SYS") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="boot.ini") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="AUTOEXEC.BAT") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="ntuser.dat") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="desktop.ini") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="CONFIG.SYS") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="RECYCLER") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="BOOTSECT.BAK") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="bootmgr") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="programdata") returned 1 [0269.352] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="appdata") returned 1 [0269.353] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="program files") returned 1 [0269.353] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="program files (x86)") returned 1 [0269.353] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="microsoft") returned 1 [0269.353] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="sophos") returned 1 [0269.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0269.353] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.353] PathFindExtensionW (pszPath="updaterevokesipolicy.p7b") returned=".p7b" [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".exe") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".log") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".cab") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".cmd") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".com") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".cpl") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".ini") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".url") returned -1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".ttf") returned -1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".mp3") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".pif") returned -1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".mp4") returned 1 [0269.353] lstrcmpiW (lpString1=".p7b", lpString2=".NEFILIM") returned 1 [0269.354] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0269.354] lstrcmpiW (lpString1=".p7b", lpString2=".lnk") returned 1 [0269.354] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0269.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0269.354] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.413] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=440599260887424) returned 0 [0269.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de1f8 [0269.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de138 [0269.413] SystemFunction036 (in: RandomBuffer=0x28de1f8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de1f8) returned 1 [0269.413] SystemFunction036 (in: RandomBuffer=0x28de138, RandomBufferLength=0x10 | out: RandomBuffer=0x28de138) returned 1 [0269.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28ddb08 [0269.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28ddd18 [0269.413] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28ddb08*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x28ddb08*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.414] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28ddd18*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x28ddd18*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.416] GetTickCount () returned 0x11838d1 [0269.416] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.416] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.416] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.416] SetLastError (dwErrCode=0x0) [0269.416] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28ddb08, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0) returned 0 [0269.416] GetLastError () returned 0x6 [0269.416] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0269.416] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="$RECYCLE.BIN") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="rsa") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="NTDETECT.COM") returned 1 [0269.416] lstrcmpiW (lpString1="zh-CN", lpString2="ntldr") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="MSDOS.SYS") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="IO.SYS") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="boot.ini") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="AUTOEXEC.BAT") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="ntuser.dat") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="desktop.ini") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="CONFIG.SYS") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="RECYCLER") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="BOOTSECT.BAK") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="bootmgr") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="programdata") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="appdata") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="program files") returned 1 [0269.417] lstrcmpiW (lpString1="zh-CN", lpString2="program files (x86)") returned 1 [0269.418] lstrcmpiW (lpString1="zh-CN", lpString2="microsoft") returned 1 [0269.418] lstrcmpiW (lpString1="zh-CN", lpString2="sophos") returned 1 [0269.418] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.418] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.418] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.418] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.418] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.418] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0269.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.419] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0269.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.420] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.421] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.421] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.421] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.421] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.421] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.421] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.422] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.422] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.422] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.422] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.422] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.422] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0f0 [0269.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de150 [0269.423] SystemFunction036 (in: RandomBuffer=0x28de0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0f0) returned 1 [0269.423] SystemFunction036 (in: RandomBuffer=0x28de150, RandomBufferLength=0x10 | out: RandomBuffer=0x28de150) returned 1 [0269.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x28dc980 [0269.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d209b8 [0269.423] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc980*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x28dc980*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.424] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d209b8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d209b8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.426] GetTickCount () returned 0x11838e0 [0269.426] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.426] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.426] SetLastError (dwErrCode=0x0) [0269.426] WriteFile (in: hFile=0xffffffff, lpBuffer=0x28dc980, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.426] GetLastError () returned 0x6 [0269.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.426] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.426] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.427] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.427] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.427] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.427] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.427] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.428] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.428] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.428] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.428] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.428] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.428] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfa0 [0269.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de210 [0269.428] SystemFunction036 (in: RandomBuffer=0x28ddfa0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfa0) returned 1 [0269.428] SystemFunction036 (in: RandomBuffer=0x28de210, RandomBufferLength=0x10 | out: RandomBuffer=0x28de210) returned 1 [0269.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20490 [0269.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21e58 [0269.428] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20490*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d20490*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.430] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21e58*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21e58*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.430] GetTickCount () returned 0x11838e0 [0269.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.430] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.430] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.430] SetLastError (dwErrCode=0x0) [0269.430] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20490, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.430] GetLastError () returned 0x6 [0269.430] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.430] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.437] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0269.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.437] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2=".") returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2="..") returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2="...") returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2="windows") returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2="$RECYCLE.BIN") returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2="rsa") returned 1 [0269.437] lstrcmpiW (lpString1="zh-HK", lpString2="NTDETECT.COM") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="ntldr") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="MSDOS.SYS") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="IO.SYS") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="boot.ini") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="AUTOEXEC.BAT") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="ntuser.dat") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="desktop.ini") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="CONFIG.SYS") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="RECYCLER") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="BOOTSECT.BAK") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="bootmgr") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="programdata") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="appdata") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="program files") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="program files (x86)") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="microsoft") returned 1 [0269.438] lstrcmpiW (lpString1="zh-HK", lpString2="sophos") returned 1 [0269.438] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.438] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.438] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.438] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.438] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.438] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f4a0 [0269.439] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.439] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0269.439] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.439] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.439] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.439] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.440] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.440] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.440] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.440] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.441] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.441] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.441] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.441] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.441] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.442] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf58 [0269.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de048 [0269.442] SystemFunction036 (in: RandomBuffer=0x28ddf58, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf58) returned 1 [0269.442] SystemFunction036 (in: RandomBuffer=0x28de048, RandomBufferLength=0x10 | out: RandomBuffer=0x28de048) returned 1 [0269.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20388 [0269.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20fe8 [0269.442] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20388*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d20388*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.442] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20fe8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d20fe8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.444] GetTickCount () returned 0x11838ff [0269.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.444] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.444] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.444] SetLastError (dwErrCode=0x0) [0269.444] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20388, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.445] GetLastError () returned 0x6 [0269.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.445] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.445] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.446] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.446] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.446] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.446] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.446] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.447] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.447] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0d8 [0269.447] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfb8 [0269.447] SystemFunction036 (in: RandomBuffer=0x28de0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0d8) returned 1 [0269.447] SystemFunction036 (in: RandomBuffer=0x28ddfb8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfb8) returned 1 [0269.447] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ac0 [0269.447] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d208b0 [0269.447] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ac0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ac0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.449] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d208b0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d208b0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.450] GetTickCount () returned 0x11838ff [0269.450] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.450] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.450] SetLastError (dwErrCode=0x0) [0269.450] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20ac0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.450] GetLastError () returned 0x6 [0269.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.450] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.450] FindClose (in: hFindFile=0xa2f4a0 | out: hFindFile=0xa2f4a0) returned 1 [0269.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.451] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="$RECYCLE.BIN") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="rsa") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="NTDETECT.COM") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="ntldr") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="MSDOS.SYS") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="IO.SYS") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="boot.ini") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="AUTOEXEC.BAT") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="ntuser.dat") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="desktop.ini") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="CONFIG.SYS") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="RECYCLER") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="BOOTSECT.BAK") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="bootmgr") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="programdata") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="appdata") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="program files") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="program files (x86)") returned 1 [0269.451] lstrcmpiW (lpString1="zh-TW", lpString2="microsoft") returned 1 [0269.452] lstrcmpiW (lpString1="zh-TW", lpString2="sophos") returned 1 [0269.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.452] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12f0 [0269.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.452] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0269.452] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.452] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0269.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.452] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0269.452] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0269.452] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0269.452] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0269.452] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0269.452] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0269.453] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0269.453] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.453] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0269.453] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.453] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.453] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.453] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.453] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.454] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.454] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.454] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de1c8 [0269.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de090 [0269.454] SystemFunction036 (in: RandomBuffer=0x28de1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de1c8) returned 1 [0269.454] SystemFunction036 (in: RandomBuffer=0x28de090, RandomBufferLength=0x10 | out: RandomBuffer=0x28de090) returned 1 [0269.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d211f8 [0269.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21300 [0269.455] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d211f8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d211f8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.455] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21300*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21300*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.457] GetTickCount () returned 0x11838ff [0269.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.457] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.457] SetLastError (dwErrCode=0x0) [0269.457] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d211f8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.457] GetLastError () returned 0x6 [0269.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.457] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0269.457] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0269.458] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0269.458] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.458] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0269.458] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0269.459] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0269.459] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0269.459] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0269.459] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0269.459] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0269.459] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.459] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.459] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.460] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0269.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de1e0 [0269.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de018 [0269.460] SystemFunction036 (in: RandomBuffer=0x28de1e0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de1e0) returned 1 [0269.460] SystemFunction036 (in: RandomBuffer=0x28de018, RandomBufferLength=0x10 | out: RandomBuffer=0x28de018) returned 1 [0269.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21510 [0269.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d210f0 [0269.460] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21510*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21510*, pdwDataLen=0x26eef28*=0x100) returned 1 [0269.462] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d210f0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d210f0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0269.462] GetTickCount () returned 0x11838ff [0269.462] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0269.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.462] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.462] SetLastError (dwErrCode=0x0) [0269.462] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d21510, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0269.462] GetLastError () returned 0x6 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.463] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x28dbd18, dwReserved1=0x9, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0269.463] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12f0 | out: hHeap=0x28d0000) returned 1 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.463] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d12f8, dwReserved1=0x42000042, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0269.463] FindClose (in: hFindFile=0xa2f760 | out: hFindFile=0xa2f760) returned 1 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c8 | out: hHeap=0x28d0000) returned 1 [0269.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12a0 | out: hHeap=0x28d0000) returned 1 [0269.463] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0269.463] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0269.463] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="...") returned 1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="$RECYCLE.BIN") returned 1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="rsa") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="NTDETECT.COM") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="ntldr") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="MSDOS.SYS") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="IO.SYS") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="boot.ini") returned 1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="AUTOEXEC.BAT") returned 1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="desktop.ini") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="CONFIG.SYS") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="RECYCLER") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="BOOTSECT.BAK") returned -1 [0269.464] lstrcmpiW (lpString1="bootmgr", lpString2="bootmgr") returned 0 [0269.464] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0269.464] lstrcmpiW (lpString1="BOOTNXT", lpString2=".") returned 1 [0269.464] lstrcmpiW (lpString1="BOOTNXT", lpString2="..") returned 1 [0269.464] lstrcmpiW (lpString1="BOOTNXT", lpString2="...") returned 1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="windows") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="$RECYCLE.BIN") returned 1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="rsa") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="NTDETECT.COM") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntldr") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="MSDOS.SYS") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="IO.SYS") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="boot.ini") returned 1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="AUTOEXEC.BAT") returned 1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntuser.dat") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="desktop.ini") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="CONFIG.SYS") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="RECYCLER") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="BOOTSECT.BAK") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="bootmgr") returned 1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="programdata") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="appdata") returned 1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="program files") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="program files (x86)") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="microsoft") returned -1 [0269.465] lstrcmpiW (lpString1="BOOTNXT", lpString2="sophos") returned -1 [0269.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.465] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.465] PathFindExtensionW (pszPath="BOOTNXT") returned="" [0269.466] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".NEFILIM") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0269.466] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0269.466] lstrcmpiW (lpString1="BOOTNXT", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.466] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.466] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x25c [0269.469] GetFileSizeEx (in: hFile=0x25c, lpFileSize=0x26ef5a8 | out: lpFileSize=0x26ef5a8*=1) returned 1 [0269.469] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf70 [0269.469] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0269.469] SystemFunction036 (in: RandomBuffer=0x28ddf70, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf70) returned 1 [0269.469] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0269.469] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0269.469] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0269.469] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef568*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef568*=0x100) returned 1 [0269.469] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef564*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef564*=0x100) returned 1 [0269.471] GetTickCount () returned 0x118390f [0269.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.471] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.471] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.471] SetLastError (dwErrCode=0x0) [0269.471] WriteFile (in: hFile=0x25c, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef5c0*=0x100, lpOverlapped=0x0) returned 1 [0269.473] GetLastError () returned 0x0 [0269.473] GetLastError () returned 0x0 [0269.473] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x101, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.473] WriteFile (in: hFile=0x25c, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef5c0*=0x100, lpOverlapped=0x0) returned 1 [0269.473] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x201, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.473] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef57c | out: lpSystemTimeAsFileTime=0x26ef57c*(dwLowDateTime=0xc6ef3987, dwHighDateTime=0x1d5fd73)) [0269.473] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.473] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.473] WriteFile (in: hFile=0x25c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef5c0*=0x7, lpOverlapped=0x0) returned 1 [0269.474] GetProcessHeap () returned 0xa10000 [0269.474] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1) returned 0xa33140 [0269.474] GetSystemDefaultLangID () returned 0xa20409 [0269.474] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.474] ReadFile (in: hFile=0x25c, lpBuffer=0xa33140, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26ef5cc, lpOverlapped=0x0 | out: lpBuffer=0xa33140*, lpNumberOfBytesRead=0x26ef5cc*=0x1, lpOverlapped=0x0) returned 1 [0269.474] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.474] WriteFile (in: hFile=0x25c, lpBuffer=0xa33140*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpBuffer=0xa33140*, lpNumberOfBytesWritten=0x26ef5c0*=0x1, lpOverlapped=0x0) returned 1 [0269.474] GetProcessHeap () returned 0xa10000 [0269.474] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa33140 | out: hHeap=0xa10000) returned 1 [0269.474] CloseHandle (hObject=0x25c) returned 1 [0269.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0269.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0269.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf70 | out: hHeap=0x28d0000) returned 1 [0269.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0269.475] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.475] MoveFileW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT.NEFILIM" (normalized: "c:\\bootnxt.nefilim")) returned 1 [0269.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.476] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0269.476] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0269.476] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0269.476] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="...") returned 1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$RECYCLE.BIN") returned 1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="rsa") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="NTDETECT.COM") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntldr") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="MSDOS.SYS") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="IO.SYS") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="boot.ini") returned 1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="AUTOEXEC.BAT") returned 1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntuser.dat") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="desktop.ini") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="CONFIG.SYS") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="RECYCLER") returned -1 [0269.477] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="BOOTSECT.BAK") returned 0 [0269.477] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="...") returned 1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="$RECYCLE.BIN") returned 1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="rsa") returned -1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="NTDETECT.COM") returned -1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntldr") returned -1 [0269.477] lstrcmpiW (lpString1="Documents and Settings", lpString2="MSDOS.SYS") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="IO.SYS") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot.ini") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="AUTOEXEC.BAT") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntuser.dat") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="desktop.ini") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="CONFIG.SYS") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="RECYCLER") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="BOOTSECT.BAK") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="bootmgr") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="programdata") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="appdata") returned 1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files (x86)") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="microsoft") returned -1 [0269.478] lstrcmpiW (lpString1="Documents and Settings", lpString2="sophos") returned -1 [0269.478] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0269.478] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.478] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.478] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0269.478] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0269.478] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x3c, ftLastAccessTime.dwLowDateTime=0xa10000, ftLastAccessTime.dwHighDateTime=0x14000014, ftLastWriteTime.dwLowDateTime=0x779b15ca, ftLastWriteTime.dwHighDateTime=0xfcbf0d31, nFileSizeHigh=0x28d0000, nFileSizeLow=0x9000009, dwReserved0=0x28d20d8, dwReserved1=0x48, cFileName="", cAlternateFileName="ɮ⊺\x01ᒸʍ⌰ʍ4")) returned 0xffffffff [0269.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.481] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2=".") returned 1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="..") returned 1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="...") returned 1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="windows") returned -1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="$RECYCLE.BIN") returned 1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="rsa") returned -1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="NTDETECT.COM") returned -1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="ntldr") returned -1 [0269.481] lstrcmpiW (lpString1="ESD", lpString2="MSDOS.SYS") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="IO.SYS") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="boot.ini") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="AUTOEXEC.BAT") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="ntuser.dat") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="desktop.ini") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="CONFIG.SYS") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="RECYCLER") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="BOOTSECT.BAK") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="bootmgr") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="programdata") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="appdata") returned 1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="program files") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="program files (x86)") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="microsoft") returned -1 [0269.482] lstrcmpiW (lpString1="ESD", lpString2="sophos") returned -1 [0269.482] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.482] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.482] FindFirstFileW (in: lpFileName="C:\\ESD\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x48, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0269.487] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.487] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x48, cFileName="..", cAlternateFileName="")) returned 1 [0269.487] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.487] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.487] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x48, cFileName="..", cAlternateFileName="")) returned 0 [0269.487] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0269.488] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.488] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="...") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$RECYCLE.BIN") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="rsa") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NTDETECT.COM") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntldr") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="MSDOS.SYS") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="IO.SYS") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="boot.ini") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="AUTOEXEC.BAT") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntuser.dat") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="desktop.ini") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="CONFIG.SYS") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="RECYCLER") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="BOOTSECT.BAK") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="bootmgr") returned 1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="programdata") returned -1 [0269.488] lstrcmpiW (lpString1="hiberfil.sys", lpString2="appdata") returned 1 [0269.489] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files") returned -1 [0269.489] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files (x86)") returned -1 [0269.489] lstrcmpiW (lpString1="hiberfil.sys", lpString2="microsoft") returned -1 [0269.489] lstrcmpiW (lpString1="hiberfil.sys", lpString2="sophos") returned -1 [0269.489] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.489] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0269.489] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0269.489] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.489] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.489] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.490] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26ef5a8 | out: lpFileSize=0x26ef5a8*=440599260887424) returned 0 [0269.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf40 [0269.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf70 [0269.490] SystemFunction036 (in: RandomBuffer=0x28ddf40, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf40) returned 1 [0269.490] SystemFunction036 (in: RandomBuffer=0x28ddf70, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf70) returned 1 [0269.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20cd0 [0269.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20280 [0269.490] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20cd0*, pdwDataLen=0x26ef568*=0x10, dwBufLen=0x100 | out: pbData=0x2d20cd0*, pdwDataLen=0x26ef568*=0x100) returned 1 [0269.493] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20280*, pdwDataLen=0x26ef564*=0x10, dwBufLen=0x100 | out: pbData=0x2d20280*, pdwDataLen=0x26ef564*=0x100) returned 1 [0269.497] GetTickCount () returned 0x118392e [0269.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0269.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0269.497] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0269.497] SetLastError (dwErrCode=0x0) [0269.497] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20cd0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0) returned 0 [0269.497] GetLastError () returned 0x6 [0269.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0269.498] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0269.498] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0269.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0269.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0269.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0269.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d2330 [0269.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d14b8 [0269.499] FindFirstFileW (in: lpFileName="C:\\Logs\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0269.505] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0269.505] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0269.515] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0269.515] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0269.515] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2=".") returned 1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="..") returned 1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="...") returned 1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="windows") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="rsa") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="NTDETECT.COM") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="ntldr") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="MSDOS.SYS") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="IO.SYS") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="boot.ini") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="AUTOEXEC.BAT") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="ntuser.dat") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="desktop.ini") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="CONFIG.SYS") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="RECYCLER") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="BOOTSECT.BAK") returned -1 [0269.515] lstrcmpiW (lpString1="Application.evtx", lpString2="bootmgr") returned -1 [0269.516] lstrcmpiW (lpString1="Application.evtx", lpString2="programdata") returned -1 [0269.516] lstrcmpiW (lpString1="Application.evtx", lpString2="appdata") returned 1 [0269.516] lstrcmpiW (lpString1="Application.evtx", lpString2="program files") returned -1 [0269.516] lstrcmpiW (lpString1="Application.evtx", lpString2="program files (x86)") returned -1 [0269.516] lstrcmpiW (lpString1="Application.evtx", lpString2="microsoft") returned -1 [0269.516] lstrcmpiW (lpString1="Application.evtx", lpString2="sophos") returned -1 [0269.516] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0269.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.516] PathFindExtensionW (pszPath="Application.evtx") returned=".evtx" [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.516] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.517] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.517] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.517] lstrcmpiW (lpString1="Application.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.517] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.517] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.541] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0269.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0269.542] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0269.542] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0269.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0269.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0269.542] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.544] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.545] GetTickCount () returned 0x118395d [0269.545] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12c0 [0269.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.546] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.546] SetLastError (dwErrCode=0x0) [0269.546] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.547] GetLastError () returned 0x0 [0269.547] GetLastError () returned 0x0 [0269.547] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.547] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.547] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.547] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc6fb254a, dwHighDateTime=0x1d5fd73)) [0269.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0269.547] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.548] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.548] GetProcessHeap () returned 0xa10000 [0269.548] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.548] GetSystemDefaultLangID () returned 0xa20409 [0269.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.548] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.554] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.554] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.554] GetProcessHeap () returned 0xa10000 [0269.554] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.554] CloseHandle (hObject=0x260) returned 1 [0269.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0269.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0269.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0269.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0269.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0269.567] MoveFileW (lpExistingFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="C:\\Logs\\Application.evtx.NEFILIM" (normalized: "c:\\logs\\application.evtx.nefilim")) returned 1 [0269.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.568] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2=".") returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="..") returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="...") returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="windows") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="rsa") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="NTDETECT.COM") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="ntldr") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="MSDOS.SYS") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="IO.SYS") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="boot.ini") returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="ntuser.dat") returned -1 [0269.568] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="desktop.ini") returned 1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="CONFIG.SYS") returned 1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="RECYCLER") returned -1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="bootmgr") returned 1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="programdata") returned -1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="appdata") returned 1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="program files") returned -1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="program files (x86)") returned -1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="microsoft") returned -1 [0269.569] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="sophos") returned -1 [0269.569] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.569] PathFindExtensionW (pszPath="HardwareEvents.evtx") returned=".evtx" [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.569] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.570] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.570] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.570] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.570] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0269.570] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.586] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0269.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0269.586] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0269.586] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0269.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0269.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0269.586] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.587] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.587] GetTickCount () returned 0x118397c [0269.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12c0 [0269.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.587] SetLastError (dwErrCode=0x0) [0269.587] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.590] GetLastError () returned 0x0 [0269.590] GetLastError () returned 0x0 [0269.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.590] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.590] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7024dab, dwHighDateTime=0x1d5fd73)) [0269.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0269.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.590] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.590] GetProcessHeap () returned 0xa10000 [0269.590] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.590] GetSystemDefaultLangID () returned 0xa20409 [0269.591] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.591] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.596] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.597] GetProcessHeap () returned 0xa10000 [0269.597] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.597] CloseHandle (hObject=0x260) returned 1 [0269.599] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0269.600] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0269.600] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0269.600] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0269.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0269.600] MoveFileW (lpExistingFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="C:\\Logs\\HardwareEvents.evtx.NEFILIM" (normalized: "c:\\logs\\hardwareevents.evtx.nefilim")) returned 1 [0269.601] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.601] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.601] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2=".") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="..") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="...") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="windows") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="rsa") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="NTDETECT.COM") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="ntldr") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="MSDOS.SYS") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="IO.SYS") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="boot.ini") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="ntuser.dat") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="desktop.ini") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="CONFIG.SYS") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="RECYCLER") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="bootmgr") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="programdata") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="appdata") returned 1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="program files") returned -1 [0269.601] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="program files (x86)") returned -1 [0269.602] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="microsoft") returned -1 [0269.602] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="sophos") returned -1 [0269.602] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0269.602] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.602] PathFindExtensionW (pszPath="Internet Explorer.evtx") returned=".evtx" [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.602] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.602] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.602] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.602] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.603] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.603] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0269.603] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0269.603] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0269.603] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0269.603] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0269.603] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0269.603] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.604] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.606] GetTickCount () returned 0x118399c [0269.606] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12c0 [0269.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.606] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.606] SetLastError (dwErrCode=0x0) [0269.606] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.608] GetLastError () returned 0x0 [0269.608] GetLastError () returned 0x0 [0269.608] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.608] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.608] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.608] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc704af87, dwHighDateTime=0x1d5fd73)) [0269.608] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0269.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.608] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.608] GetProcessHeap () returned 0xa10000 [0269.608] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.610] GetSystemDefaultLangID () returned 0xa20409 [0269.610] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.610] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.616] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.617] GetProcessHeap () returned 0xa10000 [0269.617] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.617] CloseHandle (hObject=0x260) returned 1 [0269.619] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0269.619] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0269.620] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0269.620] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0269.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0269.620] MoveFileW (lpExistingFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="C:\\Logs\\Internet Explorer.evtx.NEFILIM" (normalized: "c:\\logs\\internet explorer.evtx.nefilim")) returned 1 [0269.621] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.621] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.621] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2=".") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="..") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="...") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="windows") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="rsa") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="NTDETECT.COM") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="ntldr") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="MSDOS.SYS") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="IO.SYS") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="boot.ini") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="ntuser.dat") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="desktop.ini") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="CONFIG.SYS") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="RECYCLER") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="bootmgr") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="programdata") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="appdata") returned 1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="program files") returned -1 [0269.621] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="program files (x86)") returned -1 [0269.622] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="microsoft") returned -1 [0269.622] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="sophos") returned -1 [0269.622] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0269.622] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.622] PathFindExtensionW (pszPath="Key Management Service.evtx") returned=".evtx" [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.622] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.622] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.622] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0269.622] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.623] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0269.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0269.623] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0269.623] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0269.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0269.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0269.623] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.625] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.627] GetTickCount () returned 0x11839ab [0269.627] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0269.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.627] SetLastError (dwErrCode=0x0) [0269.627] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.628] GetLastError () returned 0x0 [0269.628] GetLastError () returned 0x0 [0269.628] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.628] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.628] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.628] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc70712e2, dwHighDateTime=0x1d5fd73)) [0269.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0269.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.629] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.629] GetProcessHeap () returned 0xa10000 [0269.629] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.629] GetSystemDefaultLangID () returned 0xa20409 [0269.629] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.629] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.637] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.637] GetProcessHeap () returned 0xa10000 [0269.637] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.637] CloseHandle (hObject=0x260) returned 1 [0269.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0269.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0269.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0269.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0269.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0269.649] MoveFileW (lpExistingFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="C:\\Logs\\Key Management Service.evtx.NEFILIM" (normalized: "c:\\logs\\key management service.evtx.nefilim")) returned 1 [0269.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0269.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.650] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2=".") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="..") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="...") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="windows") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="rsa") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="ntldr") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="IO.SYS") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="boot.ini") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="desktop.ini") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="RECYCLER") returned -1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.650] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="bootmgr") returned 1 [0269.651] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="programdata") returned -1 [0269.651] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="appdata") returned 1 [0269.651] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="program files") returned -1 [0269.651] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="program files (x86)") returned -1 [0269.651] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="microsoft") returned 1 [0269.651] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="sophos") returned -1 [0269.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0269.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0269.651] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned=".evtx" [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.651] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.652] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.652] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.652] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.652] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.652] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.652] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0269.652] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.652] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0269.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0269.652] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0269.652] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0269.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0269.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0269.652] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.653] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.655] GetTickCount () returned 0x11839cb [0269.655] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.655] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.655] SetLastError (dwErrCode=0x0) [0269.655] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.665] GetLastError () returned 0x0 [0269.665] GetLastError () returned 0x0 [0269.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.665] WriteFile (in: hFile=0x260, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.665] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc70bd871, dwHighDateTime=0x1d5fd73)) [0269.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.665] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.665] GetProcessHeap () returned 0xa10000 [0269.665] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.667] GetSystemDefaultLangID () returned 0xa20409 [0269.667] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.667] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.677] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.677] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.677] GetProcessHeap () returned 0xa10000 [0269.677] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.677] CloseHandle (hObject=0x260) returned 1 [0269.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0269.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0269.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0269.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0269.692] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0269.692] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.nefilim")) returned 1 [0269.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0269.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.693] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2=".") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="..") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="...") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="windows") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="rsa") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="NTDETECT.COM") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="ntldr") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="MSDOS.SYS") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="IO.SYS") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="boot.ini") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="ntuser.dat") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="desktop.ini") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="CONFIG.SYS") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="RECYCLER") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="bootmgr") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="programdata") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="appdata") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="program files") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="program files (x86)") returned -1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="microsoft") returned 1 [0269.694] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="sophos") returned -1 [0269.695] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbd38 [0269.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.695] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned=".evtx" [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.695] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.695] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.695] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbdf0 [0269.695] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.697] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0269.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0269.697] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0269.697] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0269.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0269.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0269.697] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.699] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.702] GetTickCount () returned 0x11839f9 [0269.702] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.702] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.702] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.702] SetLastError (dwErrCode=0x0) [0269.702] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.703] GetLastError () returned 0x0 [0269.703] GetLastError () returned 0x0 [0269.703] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.703] WriteFile (in: hFile=0x260, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.704] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc712fc97, dwHighDateTime=0x1d5fd73)) [0269.704] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.704] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.704] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.704] GetProcessHeap () returned 0xa10000 [0269.704] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.705] GetSystemDefaultLangID () returned 0xa20409 [0269.705] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.705] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.714] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.714] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.715] GetProcessHeap () returned 0xa10000 [0269.715] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.715] CloseHandle (hObject=0x260) returned 1 [0269.721] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0269.721] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0269.721] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0269.721] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0269.721] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de318 [0269.721] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.nefilim")) returned 1 [0269.722] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0269.722] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0269.722] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2=".") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="..") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="...") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="windows") returned -1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="rsa") returned -1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="ntldr") returned -1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="IO.SYS") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="boot.ini") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.722] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="desktop.ini") returned 1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="RECYCLER") returned -1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="bootmgr") returned 1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="programdata") returned -1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="appdata") returned 1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="program files") returned -1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="program files (x86)") returned -1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="microsoft") returned 1 [0269.723] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="sophos") returned -1 [0269.723] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbdf0 [0269.723] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0269.723] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned=".evtx" [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.723] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.724] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.724] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.724] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.724] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.724] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.724] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbcc0 [0269.724] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.725] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1052672) returned 1 [0269.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0269.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0269.725] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0269.725] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0269.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0269.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0269.726] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.727] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.729] GetTickCount () returned 0x1183a09 [0269.729] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.729] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.729] SetLastError (dwErrCode=0x0) [0269.729] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.731] GetLastError () returned 0x0 [0269.731] GetLastError () returned 0x0 [0269.731] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.731] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.731] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.731] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc717c302, dwHighDateTime=0x1d5fd73)) [0269.731] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.731] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.731] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.731] GetProcessHeap () returned 0xa10000 [0269.731] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x101000) returned 0x2e24020 [0269.735] GetSystemDefaultLangID () returned 0xa20409 [0269.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.735] ReadFile (in: hFile=0x260, lpBuffer=0x2e24020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e24020*, lpNumberOfBytesRead=0x26ef2ac*=0x101000, lpOverlapped=0x0) returned 1 [0269.821] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.822] WriteFile (in: hFile=0x260, lpBuffer=0x2e24020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e24020*, lpNumberOfBytesWritten=0x26ef2a0*=0x101000, lpOverlapped=0x0) returned 1 [0269.825] GetProcessHeap () returned 0xa10000 [0269.825] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e24020 | out: hHeap=0xa10000) returned 1 [0269.831] CloseHandle (hObject=0x260) returned 1 [0269.856] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0269.856] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0269.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0269.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0269.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0269.857] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.nefilim")) returned 1 [0269.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0269.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.858] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2=".") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="..") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="...") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="windows") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="rsa") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="NTDETECT.COM") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="ntldr") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="MSDOS.SYS") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="IO.SYS") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="boot.ini") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="ntuser.dat") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="desktop.ini") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="CONFIG.SYS") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="RECYCLER") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="bootmgr") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="programdata") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="appdata") returned 1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="program files") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="program files (x86)") returned -1 [0269.858] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="microsoft") returned 1 [0269.859] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="sophos") returned -1 [0269.859] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0269.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0269.859] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned=".evtx" [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.859] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.859] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.859] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0269.859] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.860] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0269.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0269.860] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0269.860] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0269.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0269.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0269.860] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.860] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.862] GetTickCount () returned 0x1183aa5 [0269.862] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.862] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.862] SetLastError (dwErrCode=0x0) [0269.862] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.863] GetLastError () returned 0x0 [0269.863] GetLastError () returned 0x0 [0269.863] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.863] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.864] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.864] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc72b216e, dwHighDateTime=0x1d5fd73)) [0269.864] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.864] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.864] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.864] GetProcessHeap () returned 0xa10000 [0269.864] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.865] GetSystemDefaultLangID () returned 0xa20409 [0269.865] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.865] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.870] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.870] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.871] GetProcessHeap () returned 0xa10000 [0269.871] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.871] CloseHandle (hObject=0x260) returned 1 [0269.875] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0269.876] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0269.876] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0269.876] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0269.876] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0269.876] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.nefilim")) returned 1 [0269.881] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0269.881] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.881] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2=".") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="..") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="...") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="windows") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="rsa") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="NTDETECT.COM") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="ntldr") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="MSDOS.SYS") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="IO.SYS") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="boot.ini") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="ntuser.dat") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="desktop.ini") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="CONFIG.SYS") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="RECYCLER") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="bootmgr") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="programdata") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="appdata") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="program files") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="program files (x86)") returned -1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="microsoft") returned 1 [0269.881] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="sophos") returned -1 [0269.881] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0269.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.882] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned=".evtx" [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.882] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.882] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0269.882] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.883] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0269.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0269.883] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0269.883] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0269.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0269.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0269.883] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.884] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.889] GetTickCount () returned 0x1183ab5 [0269.889] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.889] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.889] SetLastError (dwErrCode=0x0) [0269.889] WriteFile (in: hFile=0x260, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.891] GetLastError () returned 0x0 [0269.891] GetLastError () returned 0x0 [0269.891] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.891] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.891] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.891] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc72f9a3e, dwHighDateTime=0x1d5fd73)) [0269.891] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.891] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.891] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.891] GetProcessHeap () returned 0xa10000 [0269.891] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.893] GetSystemDefaultLangID () returned 0xa20409 [0269.893] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.893] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.900] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.900] GetProcessHeap () returned 0xa10000 [0269.900] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.901] CloseHandle (hObject=0x260) returned 1 [0269.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0269.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0269.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0269.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0269.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0269.911] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.nefilim")) returned 1 [0269.912] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0269.912] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.912] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2=".") returned 1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="..") returned 1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="...") returned 1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="windows") returned -1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="rsa") returned -1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="NTDETECT.COM") returned -1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="ntldr") returned -1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="MSDOS.SYS") returned -1 [0269.912] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="IO.SYS") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="boot.ini") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="ntuser.dat") returned -1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="desktop.ini") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="CONFIG.SYS") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="RECYCLER") returned -1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="bootmgr") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="programdata") returned -1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="appdata") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="program files") returned -1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="program files (x86)") returned -1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="microsoft") returned 1 [0269.913] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="sophos") returned -1 [0269.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0269.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.913] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned=".evtx" [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.913] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.914] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.914] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0269.914] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.914] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0269.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0269.914] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0269.915] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0269.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0269.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0269.915] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.917] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.921] GetTickCount () returned 0x1183ad4 [0269.921] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.921] SetLastError (dwErrCode=0x0) [0269.921] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.923] GetLastError () returned 0x0 [0269.923] GetLastError () returned 0x0 [0269.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.923] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.923] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7345f36, dwHighDateTime=0x1d5fd73)) [0269.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.923] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.924] GetProcessHeap () returned 0xa10000 [0269.924] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.925] GetSystemDefaultLangID () returned 0xa20409 [0269.925] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.925] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.934] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.934] GetProcessHeap () returned 0xa10000 [0269.934] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.934] CloseHandle (hObject=0x260) returned 1 [0269.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0269.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0269.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0269.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0269.946] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0269.946] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.nefilim")) returned 1 [0269.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0269.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.947] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0269.947] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2=".") returned 1 [0269.947] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="..") returned 1 [0269.947] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="...") returned 1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="windows") returned -1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="rsa") returned -1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="NTDETECT.COM") returned -1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="ntldr") returned -1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="MSDOS.SYS") returned -1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="IO.SYS") returned 1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="boot.ini") returned 1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.948] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="ntuser.dat") returned -1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="desktop.ini") returned 1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="CONFIG.SYS") returned 1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="RECYCLER") returned -1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="bootmgr") returned 1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="programdata") returned -1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="appdata") returned 1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="program files") returned -1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="program files (x86)") returned -1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="microsoft") returned 1 [0269.951] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="sophos") returned -1 [0269.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0269.951] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.951] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned=".evtx" [0269.951] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.951] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.952] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.952] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.952] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0269.953] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.953] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0269.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0269.953] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0269.953] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0269.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0269.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0269.953] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.955] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.958] GetTickCount () returned 0x1183af3 [0269.958] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.958] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.958] SetLastError (dwErrCode=0x0) [0269.958] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.959] GetLastError () returned 0x0 [0269.959] GetLastError () returned 0x0 [0269.959] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.959] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.959] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.959] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7392597, dwHighDateTime=0x1d5fd73)) [0269.959] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.959] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.959] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.959] GetProcessHeap () returned 0xa10000 [0269.960] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.961] GetSystemDefaultLangID () returned 0xa20409 [0269.961] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.961] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0269.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.967] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0269.967] GetProcessHeap () returned 0xa10000 [0269.967] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0269.967] CloseHandle (hObject=0x260) returned 1 [0269.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0269.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0269.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0269.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0269.972] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0269.972] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.nefilim")) returned 1 [0269.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0269.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0269.973] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2=".") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="..") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="...") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="windows") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="rsa") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="ntldr") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="IO.SYS") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="boot.ini") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="desktop.ini") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="RECYCLER") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="bootmgr") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="programdata") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="appdata") returned 1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="program files") returned -1 [0269.973] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="program files (x86)") returned -1 [0269.974] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="microsoft") returned 1 [0269.974] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="sophos") returned -1 [0269.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0269.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0269.974] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned=".evtx" [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0269.974] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0269.974] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0269.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0269.979] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0269.979] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0269.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0269.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0269.979] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0269.979] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0269.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0269.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0269.979] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ef248*=0x100) returned 1 [0269.981] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ef244*=0x100) returned 1 [0269.985] GetTickCount () returned 0x1183b13 [0269.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0269.985] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.985] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.985] SetLastError (dwErrCode=0x0) [0269.985] WriteFile (in: hFile=0x260, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.987] GetLastError () returned 0x0 [0269.987] GetLastError () returned 0x0 [0269.987] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.987] WriteFile (in: hFile=0x260, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0269.987] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.987] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc73de8ef, dwHighDateTime=0x1d5fd73)) [0269.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0269.987] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0269.987] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0269.988] GetProcessHeap () returned 0xa10000 [0269.988] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0269.988] GetSystemDefaultLangID () returned 0xa20409 [0269.988] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0269.988] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.065] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.066] GetProcessHeap () returned 0xa10000 [0270.066] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.066] CloseHandle (hObject=0x260) returned 1 [0270.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0270.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0270.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0270.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0270.072] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0270.072] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.nefilim")) returned 1 [0270.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0270.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.073] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0270.073] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2=".") returned 1 [0270.073] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="..") returned 1 [0270.073] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="...") returned 1 [0270.073] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="windows") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="rsa") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="ntldr") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="IO.SYS") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="boot.ini") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="desktop.ini") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="RECYCLER") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="bootmgr") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="programdata") returned -1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="appdata") returned 1 [0270.074] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="program files") returned -1 [0270.075] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="program files (x86)") returned -1 [0270.075] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="microsoft") returned 1 [0270.075] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="sophos") returned -1 [0270.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0270.075] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.075] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx") returned=".evtx" [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.075] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.076] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.076] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.076] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.076] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.076] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.076] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0270.076] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.076] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0270.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0270.077] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0270.077] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0270.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0270.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0270.077] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.079] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.082] GetTickCount () returned 0x1183b70 [0270.082] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.082] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.082] SetLastError (dwErrCode=0x0) [0270.082] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.083] GetLastError () returned 0x0 [0270.083] GetLastError () returned 0x0 [0270.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.083] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.084] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.084] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc74c3788, dwHighDateTime=0x1d5fd73)) [0270.084] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.084] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.084] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.084] GetProcessHeap () returned 0xa10000 [0270.084] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.084] GetSystemDefaultLangID () returned 0xa20409 [0270.084] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.084] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.091] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.091] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.092] GetProcessHeap () returned 0xa10000 [0270.092] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.092] CloseHandle (hObject=0x260) returned 1 [0270.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0270.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0270.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0270.095] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0270.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0270.096] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.nefilim")) returned 1 [0270.096] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0270.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.097] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2=".") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="..") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="...") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="windows") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="rsa") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="ntldr") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="programdata") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="appdata") returned 1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="program files") returned -1 [0270.097] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.098] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="microsoft") returned 1 [0270.098] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="sophos") returned -1 [0270.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.098] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.098] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx") returned=".evtx" [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.098] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.099] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.099] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.099] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.099] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.099] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.099] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.099] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.105] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1118208) returned 1 [0270.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0270.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0270.105] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0270.105] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0270.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0270.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0270.105] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.107] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.109] GetTickCount () returned 0x1183b90 [0270.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.109] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.109] SetLastError (dwErrCode=0x0) [0270.109] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.111] GetLastError () returned 0x0 [0270.111] GetLastError () returned 0x0 [0270.111] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.111] WriteFile (in: hFile=0x260, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.111] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.111] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc750f9e6, dwHighDateTime=0x1d5fd73)) [0270.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.111] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.111] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.111] GetProcessHeap () returned 0xa10000 [0270.111] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x111000) returned 0x2e2f020 [0270.115] GetSystemDefaultLangID () returned 0xa20409 [0270.115] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.115] ReadFile (in: hFile=0x260, lpBuffer=0x2e2f020, nNumberOfBytesToRead=0x111000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e2f020*, lpNumberOfBytesRead=0x26ef2ac*=0x111000, lpOverlapped=0x0) returned 1 [0270.258] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.258] WriteFile (in: hFile=0x260, lpBuffer=0x2e2f020*, nNumberOfBytesToWrite=0x111000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e2f020*, lpNumberOfBytesWritten=0x26ef2a0*=0x111000, lpOverlapped=0x0) returned 1 [0270.262] GetProcessHeap () returned 0xa10000 [0270.262] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e2f020 | out: hHeap=0xa10000) returned 1 [0270.269] CloseHandle (hObject=0x260) returned 1 [0270.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0270.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0270.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0270.328] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0270.328] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.329] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.nefilim")) returned 1 [0270.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.330] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2=".") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="..") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="...") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="windows") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="rsa") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="ntldr") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="programdata") returned -1 [0270.330] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="appdata") returned 1 [0270.331] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="program files") returned -1 [0270.331] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.331] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="microsoft") returned 1 [0270.331] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="sophos") returned -1 [0270.331] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.331] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.331] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned=".evtx" [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.331] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.332] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.332] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.332] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.332] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0270.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0270.332] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0270.332] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0270.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0270.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0270.332] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.333] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.333] GetTickCount () returned 0x1183c7a [0270.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.333] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.333] SetLastError (dwErrCode=0x0) [0270.333] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.334] GetLastError () returned 0x0 [0270.334] GetLastError () returned 0x0 [0270.334] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.334] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.335] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.335] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc773226f, dwHighDateTime=0x1d5fd73)) [0270.335] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.335] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.335] GetProcessHeap () returned 0xa10000 [0270.335] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.335] GetSystemDefaultLangID () returned 0xa20409 [0270.335] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.335] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.341] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.341] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.342] GetProcessHeap () returned 0xa10000 [0270.342] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.342] CloseHandle (hObject=0x260) returned 1 [0270.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0270.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0270.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0270.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0270.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.346] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.nefilim")) returned 1 [0270.347] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.347] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.347] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0270.347] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2=".") returned 1 [0270.347] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="..") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="...") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="windows") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="rsa") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="ntldr") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="programdata") returned -1 [0270.348] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="appdata") returned 1 [0270.349] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="program files") returned -1 [0270.349] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.349] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="microsoft") returned 1 [0270.349] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="sophos") returned -1 [0270.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0270.349] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.349] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned=".evtx" [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.349] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.350] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.350] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.350] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.350] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.350] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.350] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.350] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.350] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0270.350] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.350] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=2166784) returned 1 [0270.351] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.351] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0270.351] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.351] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0270.351] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0270.351] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0270.351] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.351] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.352] GetTickCount () returned 0x1183c7a [0270.352] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.352] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x211000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.352] SetLastError (dwErrCode=0x0) [0270.352] WriteFile (in: hFile=0x260, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.353] GetLastError () returned 0x0 [0270.353] GetLastError () returned 0x0 [0270.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x211100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.354] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x211200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.354] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc774be84, dwHighDateTime=0x1d5fd73)) [0270.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.354] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.354] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.389] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x927c0) returned 0x2e28020 [0270.392] GetCurrentProcess () returned 0xffffffff [0270.392] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.392] ReadFile (in: hFile=0x260, lpBuffer=0x2e28020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e28020*, lpNumberOfBytesRead=0x26ef2ac*=0x927c0, lpOverlapped=0x0) returned 1 [0270.456] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.456] WriteFile (in: hFile=0x260, lpBuffer=0x2e28020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e28020*, lpNumberOfBytesWritten=0x26ef2a0*=0x927c0, lpOverlapped=0x0) returned 1 [0270.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2e28020 | out: hHeap=0x28d0000) returned 1 [0270.462] CloseHandle (hObject=0x260) returned 1 [0270.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0270.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0270.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0270.561] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0270.561] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.nefilim")) returned 1 [0270.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0270.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.562] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2=".") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="..") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="...") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="windows") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="rsa") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="NTDETECT.COM") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="ntldr") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="MSDOS.SYS") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="IO.SYS") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="boot.ini") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="ntuser.dat") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="desktop.ini") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="CONFIG.SYS") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="RECYCLER") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="bootmgr") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="programdata") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="appdata") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="program files") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="program files (x86)") returned -1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="microsoft") returned 1 [0270.563] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="sophos") returned -1 [0270.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.564] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.564] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned=".evtx" [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.564] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.565] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.565] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.565] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.565] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.567] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0270.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0270.567] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0270.567] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0270.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0270.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0270.567] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.569] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.571] GetTickCount () returned 0x1183d64 [0270.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.571] SetLastError (dwErrCode=0x0) [0270.571] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.572] GetLastError () returned 0x0 [0270.572] GetLastError () returned 0x0 [0270.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.572] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.573] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.573] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7963d7e, dwHighDateTime=0x1d5fd73)) [0270.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.573] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.573] GetProcessHeap () returned 0xa10000 [0270.573] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.573] GetSystemDefaultLangID () returned 0xa20409 [0270.573] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.573] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.582] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.582] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.583] GetProcessHeap () returned 0xa10000 [0270.583] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.583] CloseHandle (hObject=0x260) returned 1 [0270.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0270.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0270.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0270.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0270.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.588] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.nefilim")) returned 1 [0270.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.589] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2=".") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="..") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="...") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="windows") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="rsa") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="ntldr") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="programdata") returned -1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="appdata") returned 1 [0270.589] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="program files") returned -1 [0270.590] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.590] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="microsoft") returned 1 [0270.590] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="sophos") returned -1 [0270.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.590] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned=".evtx" [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.590] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.590] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.591] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.591] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0270.591] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.591] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0270.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0270.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0270.591] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.592] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.592] GetTickCount () returned 0x1183d74 [0270.592] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.592] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.592] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.592] SetLastError (dwErrCode=0x0) [0270.592] WriteFile (in: hFile=0x260, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.594] GetLastError () returned 0x0 [0270.594] GetLastError () returned 0x0 [0270.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.594] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.594] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc79ae47c, dwHighDateTime=0x1d5fd73)) [0270.594] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.594] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.594] GetProcessHeap () returned 0xa10000 [0270.594] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.594] GetSystemDefaultLangID () returned 0xa20409 [0270.595] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.595] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.600] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.600] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.601] GetProcessHeap () returned 0xa10000 [0270.601] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.601] CloseHandle (hObject=0x260) returned 1 [0270.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0270.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0270.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0270.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.609] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.nefilim")) returned 1 [0270.610] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.610] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.610] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2=".") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="..") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="...") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="windows") returned -1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="rsa") returned -1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="ntldr") returned -1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.610] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="programdata") returned -1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="appdata") returned 1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="program files") returned -1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="microsoft") returned 1 [0270.611] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="sophos") returned -1 [0270.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbcc0 [0270.611] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.611] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned=".evtx" [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.611] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.612] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.612] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.612] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.612] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.612] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd68 [0270.612] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.613] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0270.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0270.613] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0270.613] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0270.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0270.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0270.613] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.614] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.614] GetTickCount () returned 0x1183d93 [0270.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.614] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.614] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.614] SetLastError (dwErrCode=0x0) [0270.614] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.616] GetLastError () returned 0x0 [0270.616] GetLastError () returned 0x0 [0270.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.616] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.616] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc79dbf0c, dwHighDateTime=0x1d5fd73)) [0270.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.616] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.616] GetProcessHeap () returned 0xa10000 [0270.616] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.616] GetSystemDefaultLangID () returned 0xa20409 [0270.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.616] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.622] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.623] GetProcessHeap () returned 0xa10000 [0270.623] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.623] CloseHandle (hObject=0x260) returned 1 [0270.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0270.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0270.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0270.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0270.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0270.632] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.nefilim")) returned 1 [0270.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0270.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0270.632] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2=".") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="..") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="...") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="windows") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="rsa") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="ntldr") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="programdata") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="appdata") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="program files") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="microsoft") returned 1 [0270.633] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="sophos") returned -1 [0270.633] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0270.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.634] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx") returned=".evtx" [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.634] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.634] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0270.634] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.635] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0270.635] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.635] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0270.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0270.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0270.635] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.636] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.637] GetTickCount () returned 0x1183da3 [0270.637] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.637] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.637] SetLastError (dwErrCode=0x0) [0270.637] WriteFile (in: hFile=0x260, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.638] GetLastError () returned 0x0 [0270.638] GetLastError () returned 0x0 [0270.638] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.638] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.639] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.639] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7a20b5a, dwHighDateTime=0x1d5fd73)) [0270.639] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.639] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.639] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.639] GetProcessHeap () returned 0xa10000 [0270.639] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.639] GetSystemDefaultLangID () returned 0xa20409 [0270.639] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.639] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.645] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.645] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.645] GetProcessHeap () returned 0xa10000 [0270.646] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.646] CloseHandle (hObject=0x260) returned 1 [0270.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0270.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0270.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0270.655] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0270.655] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.nefilim")) returned 1 [0270.656] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0270.656] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.656] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2=".") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="..") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="...") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="windows") returned -1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="rsa") returned -1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="ntldr") returned -1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.657] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="programdata") returned -1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="appdata") returned 1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="program files") returned -1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="microsoft") returned 1 [0270.658] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="sophos") returned -1 [0270.658] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.658] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.658] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned=".evtx" [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.658] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.659] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.659] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.659] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0270.659] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.659] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0270.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0270.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0270.659] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.660] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.660] GetTickCount () returned 0x1183dc2 [0270.660] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.660] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.660] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.660] SetLastError (dwErrCode=0x0) [0270.660] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.661] GetLastError () returned 0x0 [0270.661] GetLastError () returned 0x0 [0270.662] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.662] WriteFile (in: hFile=0x260, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.662] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.662] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7a4c063, dwHighDateTime=0x1d5fd73)) [0270.662] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.662] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.662] GetProcessHeap () returned 0xa10000 [0270.662] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.662] GetSystemDefaultLangID () returned 0xa20409 [0270.662] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.662] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.668] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.668] GetProcessHeap () returned 0xa10000 [0270.668] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.669] CloseHandle (hObject=0x260) returned 1 [0270.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0270.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0270.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0270.674] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.674] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.nefilim")) returned 1 [0270.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.675] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2=".") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="..") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="...") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="windows") returned -1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="rsa") returned -1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="ntldr") returned -1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.675] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="programdata") returned -1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="appdata") returned 1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="program files") returned -1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="microsoft") returned 1 [0270.676] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="sophos") returned -1 [0270.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0270.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.676] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned=".evtx" [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.676] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.677] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.677] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.677] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.677] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.677] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0270.677] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.677] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0270.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0270.677] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0270.677] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0270.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0270.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0270.678] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.678] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.678] GetTickCount () returned 0x1183dc2 [0270.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.678] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.678] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.678] SetLastError (dwErrCode=0x0) [0270.679] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.682] GetLastError () returned 0x0 [0270.682] GetLastError () returned 0x0 [0270.682] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.682] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.683] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7a93387, dwHighDateTime=0x1d5fd73)) [0270.683] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.683] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.683] GetProcessHeap () returned 0xa10000 [0270.683] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.683] GetSystemDefaultLangID () returned 0xa20409 [0270.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.683] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.696] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.697] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.697] GetProcessHeap () returned 0xa10000 [0270.697] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.697] CloseHandle (hObject=0x260) returned 1 [0270.703] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0270.703] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0270.703] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0270.703] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0270.703] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0270.704] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.nefilim")) returned 1 [0270.705] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0270.705] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.705] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2=".") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="..") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="...") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="windows") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="rsa") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="NTDETECT.COM") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="ntldr") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="MSDOS.SYS") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="IO.SYS") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="boot.ini") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="ntuser.dat") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="desktop.ini") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="CONFIG.SYS") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="RECYCLER") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="bootmgr") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="programdata") returned -1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="appdata") returned 1 [0270.705] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="program files") returned -1 [0270.706] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="program files (x86)") returned -1 [0270.706] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="microsoft") returned 1 [0270.706] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="sophos") returned -1 [0270.706] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.706] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.706] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned=".evtx" [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.706] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.707] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.707] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.707] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0270.707] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.707] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0270.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0270.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0270.707] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.708] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.709] GetTickCount () returned 0x1183de1 [0270.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.710] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.710] SetLastError (dwErrCode=0x0) [0270.710] WriteFile (in: hFile=0x260, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.711] GetLastError () returned 0x0 [0270.711] GetLastError () returned 0x0 [0270.711] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.711] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.711] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.711] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7ab94e9, dwHighDateTime=0x1d5fd73)) [0270.711] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.711] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.711] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.712] GetProcessHeap () returned 0xa10000 [0270.712] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.713] GetSystemDefaultLangID () returned 0xa20409 [0270.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.713] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.721] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.722] GetProcessHeap () returned 0xa10000 [0270.722] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.722] CloseHandle (hObject=0x260) returned 1 [0270.728] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0270.728] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0270.728] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.728] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0270.728] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.728] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.nefilim")) returned 1 [0270.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.729] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0270.729] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2=".") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="..") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="...") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="windows") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="rsa") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="ntldr") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="programdata") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="appdata") returned 1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="program files") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.730] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="microsoft") returned 1 [0270.731] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="sophos") returned -1 [0270.731] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.731] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.731] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned=".evtx" [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.731] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.731] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.731] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.732] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.733] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.733] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.733] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0270.733] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.733] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0270.733] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0270.733] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0270.733] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.735] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.738] GetTickCount () returned 0x1183e01 [0270.738] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.738] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.738] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.738] SetLastError (dwErrCode=0x0) [0270.738] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.740] GetLastError () returned 0x0 [0270.740] GetLastError () returned 0x0 [0270.740] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.740] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.740] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.740] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7b05a3f, dwHighDateTime=0x1d5fd73)) [0270.740] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.740] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.740] GetProcessHeap () returned 0xa10000 [0270.740] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.742] GetSystemDefaultLangID () returned 0xa20409 [0270.742] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.742] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.748] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.749] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.749] GetProcessHeap () returned 0xa10000 [0270.749] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.749] CloseHandle (hObject=0x260) returned 1 [0270.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0270.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0270.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0270.755] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.756] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.nefilim")) returned 1 [0270.757] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.757] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.757] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2=".") returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="..") returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="...") returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="windows") returned -1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="rsa") returned -1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="ntldr") returned -1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="IO.SYS") returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="boot.ini") returned 1 [0270.757] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="desktop.ini") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="RECYCLER") returned -1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="bootmgr") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="programdata") returned -1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="appdata") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="program files") returned -1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="program files (x86)") returned -1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="microsoft") returned 1 [0270.758] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="sophos") returned -1 [0270.758] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbcc0 [0270.758] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.758] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned=".evtx" [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.758] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.759] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.759] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.759] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.759] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.759] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.759] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.759] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.759] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbd78 [0270.759] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.759] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1052672) returned 1 [0270.759] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.759] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0270.759] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.759] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0270.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0270.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0270.760] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.762] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.765] GetTickCount () returned 0x1183e20 [0270.765] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.765] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.765] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.765] SetLastError (dwErrCode=0x0) [0270.765] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.767] GetLastError () returned 0x0 [0270.767] GetLastError () returned 0x0 [0270.767] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.767] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.767] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.767] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7b51e2c, dwHighDateTime=0x1d5fd73)) [0270.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.767] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.767] GetProcessHeap () returned 0xa10000 [0270.767] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x101000) returned 0x2e26020 [0270.771] GetSystemDefaultLangID () returned 0xa20409 [0270.771] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.771] ReadFile (in: hFile=0x260, lpBuffer=0x2e26020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e26020*, lpNumberOfBytesRead=0x26ef2ac*=0x101000, lpOverlapped=0x0) returned 1 [0270.858] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.858] WriteFile (in: hFile=0x260, lpBuffer=0x2e26020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e26020*, lpNumberOfBytesWritten=0x26ef2a0*=0x101000, lpOverlapped=0x0) returned 1 [0270.862] GetProcessHeap () returned 0xa10000 [0270.862] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e26020 | out: hHeap=0xa10000) returned 1 [0270.868] CloseHandle (hObject=0x260) returned 1 [0270.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0270.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0270.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0270.894] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28dbe30 [0270.894] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.nefilim")) returned 1 [0270.896] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0270.896] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd78 | out: hHeap=0x28d0000) returned 1 [0270.896] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2=".") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="..") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="...") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="windows") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="rsa") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="ntldr") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="IO.SYS") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="boot.ini") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="desktop.ini") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="RECYCLER") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="bootmgr") returned 1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="programdata") returned -1 [0270.896] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="appdata") returned 1 [0270.897] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="program files") returned -1 [0270.897] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="program files (x86)") returned -1 [0270.897] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="microsoft") returned 1 [0270.897] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="sophos") returned -1 [0270.897] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.897] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned=".evtx" [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.897] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.897] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.897] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.898] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.898] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.898] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.898] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0270.898] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.898] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0270.898] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0270.898] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0270.898] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.901] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.903] GetTickCount () returned 0x1183ead [0270.903] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.903] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.903] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.903] SetLastError (dwErrCode=0x0) [0270.903] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.905] GetLastError () returned 0x0 [0270.905] GetLastError () returned 0x0 [0270.905] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.905] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.905] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.905] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7ca92f7, dwHighDateTime=0x1d5fd73)) [0270.905] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.905] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.905] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.906] GetProcessHeap () returned 0xa10000 [0270.906] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.906] GetSystemDefaultLangID () returned 0xa20409 [0270.906] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.906] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.913] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.913] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.914] GetProcessHeap () returned 0xa10000 [0270.914] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.914] CloseHandle (hObject=0x260) returned 1 [0270.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0270.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0270.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0270.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.920] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.nefilim")) returned 1 [0270.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.921] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0270.921] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2=".") returned 1 [0270.921] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="..") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="...") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="windows") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="rsa") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="ntldr") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="programdata") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="appdata") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="program files") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="microsoft") returned 1 [0270.922] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="sophos") returned -1 [0270.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.923] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned=".evtx" [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.923] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.923] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.923] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.924] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0270.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0270.924] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0270.924] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0270.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0270.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0270.924] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.926] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.928] GetTickCount () returned 0x1183ecc [0270.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.928] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.928] SetLastError (dwErrCode=0x0) [0270.928] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.929] GetLastError () returned 0x0 [0270.929] GetLastError () returned 0x0 [0270.929] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.929] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.930] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.930] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7cd57c0, dwHighDateTime=0x1d5fd73)) [0270.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.930] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.930] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.930] GetProcessHeap () returned 0xa10000 [0270.930] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.930] GetSystemDefaultLangID () returned 0xa20409 [0270.930] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.930] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.936] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.936] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.937] GetProcessHeap () returned 0xa10000 [0270.937] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.937] CloseHandle (hObject=0x260) returned 1 [0270.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0270.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0270.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0270.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0270.944] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0270.944] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.nefilim")) returned 1 [0270.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0270.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.945] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2=".") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="..") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="...") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="windows") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="rsa") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="ntldr") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="IO.SYS") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="boot.ini") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="desktop.ini") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="RECYCLER") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="bootmgr") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="programdata") returned -1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="appdata") returned 1 [0270.945] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="program files") returned -1 [0270.946] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="program files (x86)") returned -1 [0270.946] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="microsoft") returned 1 [0270.946] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="sophos") returned -1 [0270.946] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0270.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.946] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned=".evtx" [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.946] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.946] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.946] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0270.946] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.947] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0270.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.947] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0270.947] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0270.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0270.947] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.947] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.948] GetTickCount () returned 0x1183ecc [0270.948] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.948] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.949] SetLastError (dwErrCode=0x0) [0270.949] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.950] GetLastError () returned 0x0 [0270.950] GetLastError () returned 0x0 [0270.950] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.950] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.950] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7d1bab7, dwHighDateTime=0x1d5fd73)) [0270.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.950] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.950] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.950] GetProcessHeap () returned 0xa10000 [0270.950] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.950] GetSystemDefaultLangID () returned 0xa20409 [0270.950] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.951] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.957] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.957] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.958] GetProcessHeap () returned 0xa10000 [0270.958] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.958] CloseHandle (hObject=0x260) returned 1 [0270.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0270.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0270.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0270.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0270.964] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.nefilim")) returned 1 [0270.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0270.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.965] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0270.965] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2=".") returned 1 [0270.965] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="..") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="...") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="windows") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="rsa") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="ntldr") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="IO.SYS") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="boot.ini") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="desktop.ini") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="RECYCLER") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="bootmgr") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="programdata") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="appdata") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="program files") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="program files (x86)") returned -1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="microsoft") returned 1 [0270.966] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="sophos") returned -1 [0270.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0270.966] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.966] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned=".evtx" [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.967] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.967] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0270.967] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.968] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0270.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0270.968] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0270.968] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0270.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0270.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0270.968] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.968] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.969] GetTickCount () returned 0x1183eeb [0270.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.969] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.969] SetLastError (dwErrCode=0x0) [0270.969] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.970] GetLastError () returned 0x0 [0270.970] GetLastError () returned 0x0 [0270.970] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.970] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.970] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7d41cdb, dwHighDateTime=0x1d5fd73)) [0270.970] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.971] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.971] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.971] GetProcessHeap () returned 0xa10000 [0270.971] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.971] GetSystemDefaultLangID () returned 0xa20409 [0270.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.971] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0270.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.980] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0270.980] GetProcessHeap () returned 0xa10000 [0270.980] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0270.980] CloseHandle (hObject=0x260) returned 1 [0270.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0270.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0270.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0270.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0270.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0270.983] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.nefilim")) returned 1 [0270.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0270.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0270.984] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0270.984] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2=".") returned 1 [0270.984] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="..") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="...") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="windows") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="rsa") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="ntldr") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="IO.SYS") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="boot.ini") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="desktop.ini") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="RECYCLER") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="bootmgr") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="programdata") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="appdata") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="program files") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="program files (x86)") returned -1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="microsoft") returned 1 [0270.985] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="sophos") returned -1 [0270.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0270.985] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0270.985] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned=".evtx" [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0270.986] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0270.986] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0270.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0270.986] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0270.991] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0270.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0270.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0270.991] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0270.991] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0270.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0270.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0270.991] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x100) returned 1 [0270.992] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0270.992] GetTickCount () returned 0x1183efb [0270.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0270.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.992] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.992] SetLastError (dwErrCode=0x0) [0270.992] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.994] GetLastError () returned 0x0 [0270.994] GetLastError () returned 0x0 [0270.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.994] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0270.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.994] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7d67ec6, dwHighDateTime=0x1d5fd73)) [0270.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0270.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0270.994] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0270.994] GetProcessHeap () returned 0xa10000 [0270.994] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0270.994] GetSystemDefaultLangID () returned 0xa20409 [0270.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0270.994] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.001] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.001] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.001] GetProcessHeap () returned 0xa10000 [0271.001] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.001] CloseHandle (hObject=0x260) returned 1 [0271.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0271.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0271.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0271.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.007] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.nefilim")) returned 1 [0271.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.008] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0271.008] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2=".") returned 1 [0271.008] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="..") returned 1 [0271.008] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="...") returned 1 [0271.008] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="windows") returned -1 [0271.008] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="rsa") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="ntldr") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="programdata") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="appdata") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="program files") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="microsoft") returned 1 [0271.009] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="sophos") returned -1 [0271.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0271.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.009] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned=".evtx" [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.009] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.010] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.010] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.010] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.010] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.010] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0271.010] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.010] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.010] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.010] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0271.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0271.010] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.011] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.011] GetTickCount () returned 0x1183f1a [0271.011] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.011] SetLastError (dwErrCode=0x0) [0271.011] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.012] GetLastError () returned 0x0 [0271.012] GetLastError () returned 0x0 [0271.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.012] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.012] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7db4359, dwHighDateTime=0x1d5fd73)) [0271.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.013] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.013] GetProcessHeap () returned 0xa10000 [0271.013] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.013] GetSystemDefaultLangID () returned 0xa20409 [0271.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.013] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.017] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.017] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.017] GetProcessHeap () returned 0xa10000 [0271.017] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.017] CloseHandle (hObject=0x260) returned 1 [0271.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0271.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0271.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0271.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0271.037] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.nefilim")) returned 1 [0271.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0271.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.038] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2=".") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="..") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="...") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="windows") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="rsa") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="ntldr") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="programdata") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="appdata") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="program files") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="microsoft") returned 1 [0271.038] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="sophos") returned -1 [0271.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.038] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned=".evtx" [0271.038] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.039] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.039] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.039] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.039] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0271.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0271.039] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0271.040] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0271.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0271.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0271.040] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.040] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.040] GetTickCount () returned 0x1183f39 [0271.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.040] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.040] SetLastError (dwErrCode=0x0) [0271.040] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.041] GetLastError () returned 0x0 [0271.041] GetLastError () returned 0x0 [0271.041] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.041] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.042] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.042] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7e007e9, dwHighDateTime=0x1d5fd73)) [0271.042] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.042] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.042] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.042] GetProcessHeap () returned 0xa10000 [0271.042] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.042] GetSystemDefaultLangID () returned 0xa20409 [0271.042] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.042] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.046] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.046] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.047] GetProcessHeap () returned 0xa10000 [0271.047] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.047] CloseHandle (hObject=0x260) returned 1 [0271.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0271.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0271.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0271.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0271.052] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.052] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.nefilim")) returned 1 [0271.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.053] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2=".") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="..") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="...") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="windows") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="rsa") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="ntldr") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="programdata") returned -1 [0271.053] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="appdata") returned 1 [0271.054] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="program files") returned -1 [0271.054] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.054] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="microsoft") returned 1 [0271.054] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="sophos") returned -1 [0271.054] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.054] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned=".evtx" [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.054] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.054] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.054] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.054] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.056] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0271.056] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.056] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0271.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21720 [0271.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21720*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21720*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.057] GetTickCount () returned 0x1183f39 [0271.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.057] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.057] SetLastError (dwErrCode=0x0) [0271.057] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.059] GetLastError () returned 0x0 [0271.059] GetLastError () returned 0x0 [0271.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.059] WriteFile (in: hFile=0x260, lpBuffer=0x2d21720*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21720*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.059] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7e2690e, dwHighDateTime=0x1d5fd73)) [0271.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.059] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.059] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.059] GetProcessHeap () returned 0xa10000 [0271.059] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.059] GetSystemDefaultLangID () returned 0xa20409 [0271.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.059] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.064] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.064] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.065] GetProcessHeap () returned 0xa10000 [0271.065] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.065] CloseHandle (hObject=0x260) returned 1 [0271.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0271.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21720 | out: hHeap=0x28d0000) returned 1 [0271.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0271.071] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.071] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.nefilim")) returned 1 [0271.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.072] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.073] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0271.073] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2=".") returned 1 [0271.073] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="..") returned 1 [0271.073] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="...") returned 1 [0271.073] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="windows") returned -1 [0271.073] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="rsa") returned -1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="ntldr") returned -1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="IO.SYS") returned 1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="boot.ini") returned 1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0271.075] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="desktop.ini") returned 1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="RECYCLER") returned -1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="bootmgr") returned 1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="programdata") returned -1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="appdata") returned 1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="program files") returned -1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="program files (x86)") returned -1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="microsoft") returned 1 [0271.076] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="sophos") returned -1 [0271.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.076] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.076] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned=".evtx" [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.076] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.077] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.077] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.077] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.077] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.077] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.077] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.077] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de120 [0271.077] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.077] SystemFunction036 (in: RandomBuffer=0x28de120, RandomBufferLength=0x10 | out: RandomBuffer=0x28de120) returned 1 [0271.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0271.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.078] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.078] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.078] GetTickCount () returned 0x1183f58 [0271.078] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.078] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.079] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.079] SetLastError (dwErrCode=0x0) [0271.079] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.080] GetLastError () returned 0x0 [0271.080] GetLastError () returned 0x0 [0271.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.080] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.080] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7e4ce25, dwHighDateTime=0x1d5fd73)) [0271.080] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.080] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.081] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.081] GetProcessHeap () returned 0xa10000 [0271.081] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.081] GetSystemDefaultLangID () returned 0xa20409 [0271.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.081] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.086] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.087] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.087] GetProcessHeap () returned 0xa10000 [0271.087] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.087] CloseHandle (hObject=0x260) returned 1 [0271.091] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0271.091] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.091] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.091] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de120 | out: hHeap=0x28d0000) returned 1 [0271.091] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.092] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.nefilim")) returned 1 [0271.092] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.093] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.093] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2=".") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="..") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="...") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="windows") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="rsa") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="ntldr") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="programdata") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="appdata") returned 1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="program files") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.093] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="microsoft") returned 1 [0271.094] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="sophos") returned -1 [0271.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.094] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.094] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx") returned=".evtx" [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.094] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.094] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.094] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.095] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.095] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0271.096] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.096] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0271.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.096] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0271.096] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.096] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.097] GetTickCount () returned 0x1183f78 [0271.097] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.097] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.097] SetLastError (dwErrCode=0x0) [0271.097] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.098] GetLastError () returned 0x0 [0271.098] GetLastError () returned 0x0 [0271.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.098] WriteFile (in: hFile=0x260, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.098] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7e794fe, dwHighDateTime=0x1d5fd73)) [0271.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.099] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.099] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.099] GetProcessHeap () returned 0xa10000 [0271.099] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.099] GetSystemDefaultLangID () returned 0xa20409 [0271.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.099] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.105] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.105] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.105] GetProcessHeap () returned 0xa10000 [0271.105] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.105] CloseHandle (hObject=0x260) returned 1 [0271.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0271.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0271.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.120] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.nefilim")) returned 1 [0271.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.126] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2=".") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="..") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="...") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="windows") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="rsa") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="ntldr") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.126] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="programdata") returned -1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="appdata") returned 1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="program files") returned -1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="microsoft") returned 1 [0271.127] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="sophos") returned -1 [0271.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.127] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned=".evtx" [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.127] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.128] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.128] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.128] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.128] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.128] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.128] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.128] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.128] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.128] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.128] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.128] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0271.128] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.128] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.129] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.129] GetTickCount () returned 0x1183f87 [0271.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.129] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.129] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.129] SetLastError (dwErrCode=0x0) [0271.129] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.131] GetLastError () returned 0x0 [0271.131] GetLastError () returned 0x0 [0271.131] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.131] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.131] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.131] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7ebf3e4, dwHighDateTime=0x1d5fd73)) [0271.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.131] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.131] GetProcessHeap () returned 0xa10000 [0271.131] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.131] GetSystemDefaultLangID () returned 0xa20409 [0271.131] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.131] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.137] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.137] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.138] GetProcessHeap () returned 0xa10000 [0271.138] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.138] CloseHandle (hObject=0x260) returned 1 [0271.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0271.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0271.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.143] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.143] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.nefilim")) returned 1 [0271.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.145] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2=".") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="..") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="...") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="windows") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="rsa") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="ntldr") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="IO.SYS") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="boot.ini") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="desktop.ini") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="RECYCLER") returned -1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="bootmgr") returned 1 [0271.145] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="programdata") returned -1 [0271.146] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="appdata") returned 1 [0271.146] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="program files") returned -1 [0271.146] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="program files (x86)") returned -1 [0271.146] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="microsoft") returned 1 [0271.146] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="sophos") returned -1 [0271.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.146] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.146] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned=".evtx" [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.146] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.147] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.147] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.147] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0271.147] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.147] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0271.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0271.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0271.147] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.148] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.148] GetTickCount () returned 0x1183f97 [0271.148] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.148] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.148] SetLastError (dwErrCode=0x0) [0271.148] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.150] GetLastError () returned 0x0 [0271.150] GetLastError () returned 0x0 [0271.150] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.150] WriteFile (in: hFile=0x260, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.150] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.150] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7ee55bc, dwHighDateTime=0x1d5fd73)) [0271.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.150] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.150] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.150] GetProcessHeap () returned 0xa10000 [0271.150] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.150] GetSystemDefaultLangID () returned 0xa20409 [0271.150] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.151] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.156] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.156] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.157] GetProcessHeap () returned 0xa10000 [0271.157] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.157] CloseHandle (hObject=0x260) returned 1 [0271.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0271.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0271.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0271.163] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.164] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.nefilim")) returned 1 [0271.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.165] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2=".") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="..") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="...") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="windows") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="rsa") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="NTDETECT.COM") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="ntldr") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="MSDOS.SYS") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="IO.SYS") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="boot.ini") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="ntuser.dat") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="desktop.ini") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="CONFIG.SYS") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="RECYCLER") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="bootmgr") returned 1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="programdata") returned -1 [0271.165] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="appdata") returned 1 [0271.166] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="program files") returned -1 [0271.166] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="program files (x86)") returned -1 [0271.166] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="microsoft") returned 1 [0271.166] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="sophos") returned -1 [0271.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.166] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.166] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned=".evtx" [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.166] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.167] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.168] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.168] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1052672) returned 1 [0271.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.168] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.169] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.169] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.169] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0271.169] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.169] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.169] GetTickCount () returned 0x1183fb6 [0271.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.170] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.170] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.170] SetLastError (dwErrCode=0x0) [0271.170] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.171] GetLastError () returned 0x0 [0271.171] GetLastError () returned 0x0 [0271.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.171] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.171] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc7f31ba0, dwHighDateTime=0x1d5fd73)) [0271.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.172] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.172] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.172] GetProcessHeap () returned 0xa10000 [0271.172] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x101000) returned 0x2e27020 [0271.176] GetSystemDefaultLangID () returned 0xa20409 [0271.176] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.176] ReadFile (in: hFile=0x260, lpBuffer=0x2e27020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e27020*, lpNumberOfBytesRead=0x26ef2ac*=0x101000, lpOverlapped=0x0) returned 1 [0271.258] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.258] WriteFile (in: hFile=0x260, lpBuffer=0x2e27020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e27020*, lpNumberOfBytesWritten=0x26ef2a0*=0x101000, lpOverlapped=0x0) returned 1 [0271.263] GetProcessHeap () returned 0xa10000 [0271.263] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e27020 | out: hHeap=0xa10000) returned 1 [0271.270] CloseHandle (hObject=0x260) returned 1 [0271.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0271.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0271.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.290] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.291] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.nefilim")) returned 1 [0271.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.291] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0271.291] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2=".") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="..") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="...") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="windows") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="rsa") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="ntldr") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="IO.SYS") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="boot.ini") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="desktop.ini") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="RECYCLER") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="bootmgr") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="programdata") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="appdata") returned 1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="program files") returned -1 [0271.292] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="program files (x86)") returned -1 [0271.293] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="microsoft") returned 1 [0271.293] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="sophos") returned -1 [0271.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0271.293] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.293] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned=".evtx" [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.293] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.293] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0271.293] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.294] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0271.294] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.294] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0271.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0271.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.294] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.294] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.296] GetTickCount () returned 0x1184033 [0271.296] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.296] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.296] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.296] SetLastError (dwErrCode=0x0) [0271.296] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.297] GetLastError () returned 0x0 [0271.297] GetLastError () returned 0x0 [0271.297] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.297] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.297] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.297] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8062e30, dwHighDateTime=0x1d5fd73)) [0271.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.297] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.297] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.297] GetProcessHeap () returned 0xa10000 [0271.297] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.298] GetSystemDefaultLangID () returned 0xa20409 [0271.298] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.298] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.305] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.305] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.305] GetProcessHeap () returned 0xa10000 [0271.305] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.305] CloseHandle (hObject=0x260) returned 1 [0271.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0271.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0271.308] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0271.308] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.nefilim")) returned 1 [0271.312] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0271.312] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.312] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2=".") returned 1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="..") returned 1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="...") returned 1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="windows") returned -1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="rsa") returned -1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="ntldr") returned -1 [0271.312] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="programdata") returned -1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="appdata") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="program files") returned -1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="microsoft") returned 1 [0271.313] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="sophos") returned -1 [0271.313] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.313] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.313] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned=".evtx" [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.313] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.314] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.314] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.314] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.314] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.314] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0271.314] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.314] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0271.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0271.314] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.316] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.317] GetTickCount () returned 0x1184043 [0271.317] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.318] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.318] SetLastError (dwErrCode=0x0) [0271.318] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.319] GetLastError () returned 0x0 [0271.319] GetLastError () returned 0x0 [0271.319] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.319] WriteFile (in: hFile=0x260, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.319] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.319] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc80897f3, dwHighDateTime=0x1d5fd73)) [0271.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.319] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.319] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.319] GetProcessHeap () returned 0xa10000 [0271.319] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.319] GetSystemDefaultLangID () returned 0xa20409 [0271.319] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.319] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.330] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.330] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.330] GetProcessHeap () returned 0xa10000 [0271.330] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.330] CloseHandle (hObject=0x260) returned 1 [0271.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0271.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0271.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.333] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.nefilim")) returned 1 [0271.334] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.334] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.334] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2=".") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="..") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="...") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="windows") returned -1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="rsa") returned -1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="ntldr") returned -1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.335] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="programdata") returned -1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="appdata") returned 1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="program files") returned -1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="microsoft") returned 1 [0271.336] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="sophos") returned -1 [0271.336] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.336] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.336] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned=".evtx" [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.336] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.337] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.337] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.337] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.337] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.337] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.337] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.337] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.337] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.337] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.337] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0271.337] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.337] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0271.337] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.337] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0271.337] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.338] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.338] GetTickCount () returned 0x1184052 [0271.338] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.338] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.338] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.341] SetLastError (dwErrCode=0x0) [0271.341] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.343] GetLastError () returned 0x0 [0271.343] GetLastError () returned 0x0 [0271.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.343] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.343] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc80d54c3, dwHighDateTime=0x1d5fd73)) [0271.343] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.343] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.343] GetProcessHeap () returned 0xa10000 [0271.343] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.344] GetSystemDefaultLangID () returned 0xa20409 [0271.344] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.344] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.352] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.352] GetProcessHeap () returned 0xa10000 [0271.352] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.352] CloseHandle (hObject=0x260) returned 1 [0271.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0271.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0271.388] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.388] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.nefilim")) returned 1 [0271.389] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.389] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.389] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2=".") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="..") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="...") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="windows") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="rsa") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="NTDETECT.COM") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="ntldr") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="MSDOS.SYS") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="IO.SYS") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="boot.ini") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="ntuser.dat") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="desktop.ini") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="CONFIG.SYS") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="RECYCLER") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="bootmgr") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="programdata") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="appdata") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="program files") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="program files (x86)") returned -1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="microsoft") returned 1 [0271.390] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="sophos") returned -1 [0271.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.391] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.391] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned=".evtx" [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.391] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.391] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.391] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.391] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.393] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0271.393] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.393] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0271.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0271.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0271.393] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.394] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.394] GetTickCount () returned 0x1184091 [0271.394] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.394] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.394] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.394] SetLastError (dwErrCode=0x0) [0271.394] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.395] GetLastError () returned 0x0 [0271.395] GetLastError () returned 0x0 [0271.395] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.396] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.396] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.396] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8147bda, dwHighDateTime=0x1d5fd73)) [0271.396] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.396] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.396] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.396] GetProcessHeap () returned 0xa10000 [0271.396] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.396] GetSystemDefaultLangID () returned 0xa20409 [0271.396] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.396] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.442] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.442] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.443] GetProcessHeap () returned 0xa10000 [0271.443] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.443] CloseHandle (hObject=0x260) returned 1 [0271.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0271.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0271.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0271.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.446] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.nefilim")) returned 1 [0271.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.447] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.447] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2=".") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="..") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="...") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="windows") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="rsa") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="ntldr") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="programdata") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="appdata") returned 1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="program files") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.447] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="microsoft") returned 1 [0271.448] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="sophos") returned -1 [0271.448] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.448] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.448] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned=".evtx" [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.448] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.448] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.448] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.449] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.450] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.450] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0271.450] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de120 [0271.450] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0271.450] SystemFunction036 (in: RandomBuffer=0x28de120, RandomBufferLength=0x10 | out: RandomBuffer=0x28de120) returned 1 [0271.450] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0271.450] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0271.450] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.450] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.451] GetTickCount () returned 0x11840cf [0271.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.451] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.451] SetLastError (dwErrCode=0x0) [0271.451] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.452] GetLastError () returned 0x0 [0271.452] GetLastError () returned 0x0 [0271.452] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.452] WriteFile (in: hFile=0x260, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.452] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.452] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc81e064c, dwHighDateTime=0x1d5fd73)) [0271.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.453] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.453] GetProcessHeap () returned 0xa10000 [0271.453] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.453] GetSystemDefaultLangID () returned 0xa20409 [0271.453] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.453] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.480] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.480] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.481] GetProcessHeap () returned 0xa10000 [0271.481] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.481] CloseHandle (hObject=0x260) returned 1 [0271.483] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0271.483] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0271.483] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0271.483] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de120 | out: hHeap=0x28d0000) returned 1 [0271.483] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.483] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.nefilim")) returned 1 [0271.484] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.484] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.484] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0271.484] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2=".") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="..") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="...") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="windows") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="rsa") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="NTDETECT.COM") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="ntldr") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="MSDOS.SYS") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="IO.SYS") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="boot.ini") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="ntuser.dat") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="desktop.ini") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="CONFIG.SYS") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="RECYCLER") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="bootmgr") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="programdata") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="appdata") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="program files") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="program files (x86)") returned -1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="microsoft") returned 1 [0271.485] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="sophos") returned -1 [0271.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.486] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.486] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx") returned=".evtx" [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.486] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.486] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.486] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.486] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.491] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.491] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0271.491] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.491] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0271.491] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.492] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.492] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.492] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.492] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.492] GetTickCount () returned 0x11840ef [0271.492] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.492] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.493] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.493] SetLastError (dwErrCode=0x0) [0271.493] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.494] GetLastError () returned 0x0 [0271.494] GetLastError () returned 0x0 [0271.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.494] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.494] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc822ca18, dwHighDateTime=0x1d5fd73)) [0271.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.494] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.494] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.495] GetProcessHeap () returned 0xa10000 [0271.495] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.495] GetSystemDefaultLangID () returned 0xa20409 [0271.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.495] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.560] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.560] GetProcessHeap () returned 0xa10000 [0271.560] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.560] CloseHandle (hObject=0x260) returned 1 [0271.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0271.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0271.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.563] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.nefilim")) returned 1 [0271.564] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.564] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.564] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2=".") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="..") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="...") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="windows") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="rsa") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="ntldr") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="programdata") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="appdata") returned 1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="program files") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.565] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="microsoft") returned 1 [0271.566] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="sophos") returned -1 [0271.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.566] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.566] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx") returned=".evtx" [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.566] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.566] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.567] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.567] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0271.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.567] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0271.567] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0271.567] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.568] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.568] GetTickCount () returned 0x118414c [0271.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.568] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.568] SetLastError (dwErrCode=0x0) [0271.568] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.569] GetLastError () returned 0x0 [0271.569] GetLastError () returned 0x0 [0271.569] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.570] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.570] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.570] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc82ee68a, dwHighDateTime=0x1d5fd73)) [0271.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.570] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.570] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.570] GetProcessHeap () returned 0xa10000 [0271.570] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.570] GetSystemDefaultLangID () returned 0xa20409 [0271.570] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.570] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.580] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.580] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.580] GetProcessHeap () returned 0xa10000 [0271.580] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.580] CloseHandle (hObject=0x260) returned 1 [0271.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0271.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0271.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0271.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.583] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.nefilim")) returned 1 [0271.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.584] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2=".") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="..") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="...") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="windows") returned -1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="rsa") returned -1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="ntldr") returned -1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="IO.SYS") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="boot.ini") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.584] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="desktop.ini") returned 1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="RECYCLER") returned -1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="bootmgr") returned 1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="programdata") returned -1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="appdata") returned 1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="program files") returned -1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="program files (x86)") returned -1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="microsoft") returned 1 [0271.585] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="sophos") returned -1 [0271.585] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1278 [0271.585] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.585] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx") returned=".evtx" [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.585] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.586] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.586] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.586] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.586] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0271.586] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.586] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0271.586] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.586] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0271.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0271.586] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.587] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.589] GetTickCount () returned 0x118415c [0271.589] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12e0 [0271.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e0 | out: hHeap=0x28d0000) returned 1 [0271.589] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.589] SetLastError (dwErrCode=0x0) [0271.589] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.590] GetLastError () returned 0x0 [0271.590] GetLastError () returned 0x0 [0271.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.590] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.590] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8337c56, dwHighDateTime=0x1d5fd73)) [0271.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.590] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.591] GetProcessHeap () returned 0xa10000 [0271.591] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.592] GetSystemDefaultLangID () returned 0xa20409 [0271.592] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.592] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.603] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.603] GetProcessHeap () returned 0xa10000 [0271.603] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.603] CloseHandle (hObject=0x260) returned 1 [0271.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0271.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0271.606] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0271.606] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.nefilim")) returned 1 [0271.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0271.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.607] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0271.607] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2=".") returned 1 [0271.607] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="..") returned 1 [0271.607] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="...") returned 1 [0271.607] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="windows") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="rsa") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="ntldr") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="programdata") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="appdata") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="program files") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="microsoft") returned 1 [0271.608] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="sophos") returned -1 [0271.608] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0271.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.608] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx") returned=".evtx" [0271.608] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.608] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.608] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.609] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.609] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1278 [0271.609] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.609] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0271.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.610] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0271.610] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0271.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.610] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.612] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.613] GetTickCount () returned 0x118416c [0271.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12e0 [0271.613] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e0 | out: hHeap=0x28d0000) returned 1 [0271.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.613] SetLastError (dwErrCode=0x0) [0271.613] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.615] GetLastError () returned 0x0 [0271.615] GetLastError () returned 0x0 [0271.615] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.615] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.615] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.615] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc835dc54, dwHighDateTime=0x1d5fd73)) [0271.615] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.615] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.615] GetProcessHeap () returned 0xa10000 [0271.615] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.615] GetSystemDefaultLangID () returned 0xa20409 [0271.615] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.615] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.622] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.623] GetProcessHeap () returned 0xa10000 [0271.623] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.623] CloseHandle (hObject=0x260) returned 1 [0271.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0271.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0271.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.627] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0271.627] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.nefilim")) returned 1 [0271.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0271.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.628] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0271.628] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2=".") returned 1 [0271.628] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="..") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="...") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="windows") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="rsa") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="ntldr") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="programdata") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="appdata") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="program files") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="microsoft") returned 1 [0271.629] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="sophos") returned -1 [0271.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.629] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx") returned=".evtx" [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.630] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.630] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.630] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.630] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.631] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0271.631] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.631] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0271.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.631] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.631] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.633] GetTickCount () returned 0x118417b [0271.633] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.633] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.633] SetLastError (dwErrCode=0x0) [0271.633] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.642] GetLastError () returned 0x0 [0271.642] GetLastError () returned 0x0 [0271.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.642] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.643] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc83aa15b, dwHighDateTime=0x1d5fd73)) [0271.643] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.643] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.643] GetProcessHeap () returned 0xa10000 [0271.643] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.644] GetSystemDefaultLangID () returned 0xa20409 [0271.644] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.644] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.659] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.659] GetProcessHeap () returned 0xa10000 [0271.660] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.660] CloseHandle (hObject=0x260) returned 1 [0271.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0271.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0271.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.663] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.nefilim")) returned 1 [0271.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.666] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0271.666] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2=".") returned 1 [0271.666] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="..") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="...") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="windows") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="rsa") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="ntldr") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="programdata") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="appdata") returned 1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="program files") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.667] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="microsoft") returned 1 [0271.668] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="sophos") returned -1 [0271.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0271.668] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.668] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned=".evtx" [0271.668] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.668] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.668] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.668] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.668] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.668] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.669] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.669] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.669] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.669] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.670] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.670] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.670] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.670] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.670] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.670] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.670] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.670] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0271.670] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.670] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.670] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0271.670] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.671] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0271.671] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0271.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.671] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.674] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.677] GetTickCount () returned 0x11841ba [0271.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.678] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.678] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.678] SetLastError (dwErrCode=0x0) [0271.678] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.679] GetLastError () returned 0x0 [0271.679] GetLastError () returned 0x0 [0271.679] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.679] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.679] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.680] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc84157cc, dwHighDateTime=0x1d5fd73)) [0271.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.680] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.680] GetProcessHeap () returned 0xa10000 [0271.680] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.683] GetSystemDefaultLangID () returned 0xa20409 [0271.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.683] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.704] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.704] GetProcessHeap () returned 0xa10000 [0271.704] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.704] CloseHandle (hObject=0x260) returned 1 [0271.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0271.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0271.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0271.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0271.707] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.nefilim")) returned 1 [0271.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0271.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.709] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2=".") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="..") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="...") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="windows") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="rsa") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="ntldr") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="programdata") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="appdata") returned 1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="program files") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.709] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="microsoft") returned 1 [0271.710] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="sophos") returned -1 [0271.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.710] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.710] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx") returned=".evtx" [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.710] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.710] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.711] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.732] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0271.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0271.732] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0271.732] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0271.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.732] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.734] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.737] GetTickCount () returned 0x11841f8 [0271.737] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.737] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.737] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.737] SetLastError (dwErrCode=0x0) [0271.737] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.738] GetLastError () returned 0x0 [0271.738] GetLastError () returned 0x0 [0271.738] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.739] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.739] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.739] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8490a74, dwHighDateTime=0x1d5fd73)) [0271.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.739] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.739] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.739] GetProcessHeap () returned 0xa10000 [0271.739] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.740] GetSystemDefaultLangID () returned 0xa20409 [0271.740] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.740] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.763] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.764] GetProcessHeap () returned 0xa10000 [0271.764] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.764] CloseHandle (hObject=0x260) returned 1 [0271.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0271.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0271.767] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0271.767] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0271.768] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.nefilim")) returned 1 [0271.768] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0271.768] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.768] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2=".") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="..") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="...") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="windows") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="rsa") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="NTDETECT.COM") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="ntldr") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="MSDOS.SYS") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="IO.SYS") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="boot.ini") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="ntuser.dat") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="desktop.ini") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="CONFIG.SYS") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="RECYCLER") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="bootmgr") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="programdata") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="appdata") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="program files") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="program files (x86)") returned -1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="microsoft") returned 1 [0271.769] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="sophos") returned -1 [0271.769] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0271.770] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.770] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx") returned=".evtx" [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.770] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.770] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.770] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1278 [0271.770] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.771] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.771] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0271.771] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.771] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0271.771] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.771] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.771] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0271.771] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.773] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.775] GetTickCount () returned 0x1184218 [0271.775] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12e0 [0271.775] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e0 | out: hHeap=0x28d0000) returned 1 [0271.775] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.775] SetLastError (dwErrCode=0x0) [0271.775] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.776] GetLastError () returned 0x0 [0271.776] GetLastError () returned 0x0 [0271.776] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.777] WriteFile (in: hFile=0x260, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.777] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.777] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc84dcf87, dwHighDateTime=0x1d5fd73)) [0271.777] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.777] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.777] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.777] GetProcessHeap () returned 0xa10000 [0271.777] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.777] GetSystemDefaultLangID () returned 0xa20409 [0271.777] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.777] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.789] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.789] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.789] GetProcessHeap () returned 0xa10000 [0271.790] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.790] CloseHandle (hObject=0x260) returned 1 [0271.795] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0271.795] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0271.795] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0271.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0271.796] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0271.796] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.nefilim")) returned 1 [0271.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0271.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0271.796] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0271.796] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2=".") returned 1 [0271.796] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="..") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="...") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="windows") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="rsa") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="NTDETECT.COM") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="ntldr") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="MSDOS.SYS") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="IO.SYS") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="boot.ini") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="ntuser.dat") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="desktop.ini") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="CONFIG.SYS") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="RECYCLER") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="bootmgr") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="programdata") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="appdata") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="program files") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="program files (x86)") returned -1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="microsoft") returned 1 [0271.797] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="sophos") returned -1 [0271.797] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbd28 [0271.797] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0271.797] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned=".evtx" [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.797] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.798] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.798] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.798] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.798] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.798] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.798] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.798] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.798] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbde0 [0271.798] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.868] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0271.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0271.868] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0271.868] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0271.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0271.868] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.868] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.869] GetTickCount () returned 0x1184275 [0271.869] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.869] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.869] SetLastError (dwErrCode=0x0) [0271.869] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.870] GetLastError () returned 0x0 [0271.870] GetLastError () returned 0x0 [0271.870] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.870] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.870] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.870] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc85c2bec, dwHighDateTime=0x1d5fd73)) [0271.870] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.870] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.870] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.870] GetProcessHeap () returned 0xa10000 [0271.871] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.871] GetSystemDefaultLangID () returned 0xa20409 [0271.871] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.871] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0271.956] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.956] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0271.956] GetProcessHeap () returned 0xa10000 [0271.957] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0271.957] CloseHandle (hObject=0x260) returned 1 [0271.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0271.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0271.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0271.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0271.961] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de318 [0271.961] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.nefilim")) returned 1 [0271.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0271.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde0 | out: hHeap=0x28d0000) returned 1 [0271.962] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2=".") returned 1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="..") returned 1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="...") returned 1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="windows") returned -1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="rsa") returned -1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="ntldr") returned -1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="IO.SYS") returned 1 [0271.962] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="boot.ini") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="desktop.ini") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="RECYCLER") returned -1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="bootmgr") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="programdata") returned -1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="appdata") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="program files") returned -1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="program files (x86)") returned -1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="microsoft") returned 1 [0271.963] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="sophos") returned -1 [0271.963] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0271.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0271.963] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned=".evtx" [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0271.963] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0271.964] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0271.964] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0271.964] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0271.964] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0271.964] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0271.964] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0271.964] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0271.964] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0271.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0271.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0271.965] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0271.965] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0271.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0271.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0271.965] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef248*=0x100) returned 1 [0271.965] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0271.967] GetTickCount () returned 0x11842e3 [0271.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0271.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.967] SetLastError (dwErrCode=0x0) [0271.967] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.968] GetLastError () returned 0x0 [0271.968] GetLastError () returned 0x0 [0271.968] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.968] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0271.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.969] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc86ccfe2, dwHighDateTime=0x1d5fd73)) [0271.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0271.969] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0271.969] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0271.969] GetProcessHeap () returned 0xa10000 [0271.969] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0271.970] GetSystemDefaultLangID () returned 0xa20409 [0271.970] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0271.970] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.017] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.017] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.018] GetProcessHeap () returned 0xa10000 [0272.018] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.018] CloseHandle (hObject=0x260) returned 1 [0272.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0272.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0272.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0272.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0272.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.026] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.nefilim")) returned 1 [0272.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.028] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2=".") returned 1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="..") returned 1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="...") returned 1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="windows") returned -1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="rsa") returned -1 [0272.028] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="ntldr") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="IO.SYS") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="boot.ini") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="desktop.ini") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="RECYCLER") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="bootmgr") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="programdata") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="appdata") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="program files") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="program files (x86)") returned -1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="microsoft") returned 1 [0272.029] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="sophos") returned -1 [0272.029] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbcc0 [0272.029] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.029] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned=".evtx" [0272.029] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.029] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.029] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.029] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.030] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.030] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd68 [0272.030] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.031] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0272.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de120 [0272.031] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0272.031] SystemFunction036 (in: RandomBuffer=0x28de120, RandomBufferLength=0x10 | out: RandomBuffer=0x28de120) returned 1 [0272.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0272.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0272.031] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.033] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.036] GetTickCount () returned 0x1184321 [0272.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.036] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.036] SetLastError (dwErrCode=0x0) [0272.036] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.037] GetLastError () returned 0x0 [0272.037] GetLastError () returned 0x0 [0272.037] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.037] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.038] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.038] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8765745, dwHighDateTime=0x1d5fd73)) [0272.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.038] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.038] GetProcessHeap () returned 0xa10000 [0272.038] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.039] GetSystemDefaultLangID () returned 0xa20409 [0272.039] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.039] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.047] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.048] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.048] GetProcessHeap () returned 0xa10000 [0272.048] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.048] CloseHandle (hObject=0x260) returned 1 [0272.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0272.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0272.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0272.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de120 | out: hHeap=0x28d0000) returned 1 [0272.052] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0272.052] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.nefilim")) returned 1 [0272.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0272.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0272.053] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0272.053] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2=".") returned 1 [0272.053] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="..") returned 1 [0272.053] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="...") returned 1 [0272.053] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="windows") returned -1 [0272.053] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="rsa") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="NTDETECT.COM") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="ntldr") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="MSDOS.SYS") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="IO.SYS") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="boot.ini") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="ntuser.dat") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="desktop.ini") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="CONFIG.SYS") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="RECYCLER") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="bootmgr") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="programdata") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="appdata") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="program files") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="program files (x86)") returned -1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="microsoft") returned 1 [0272.054] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="sophos") returned -1 [0272.054] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.054] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx") returned=".evtx" [0272.054] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.054] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.054] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.055] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.055] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.055] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.056] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1052672) returned 1 [0272.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0272.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0272.056] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0272.056] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0272.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0272.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0272.056] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.058] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.061] GetTickCount () returned 0x1184340 [0272.061] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.061] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.061] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.061] SetLastError (dwErrCode=0x0) [0272.061] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.062] GetLastError () returned 0x0 [0272.062] GetLastError () returned 0x0 [0272.062] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.062] WriteFile (in: hFile=0x260, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.062] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.062] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc87b1be2, dwHighDateTime=0x1d5fd73)) [0272.062] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.062] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.063] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.063] GetProcessHeap () returned 0xa10000 [0272.063] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x101000) returned 0x2e2f020 [0272.065] GetSystemDefaultLangID () returned 0xa20409 [0272.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.065] ReadFile (in: hFile=0x260, lpBuffer=0x2e2f020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e2f020*, lpNumberOfBytesRead=0x26ef2ac*=0x101000, lpOverlapped=0x0) returned 1 [0272.204] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.204] WriteFile (in: hFile=0x260, lpBuffer=0x2e2f020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e2f020*, lpNumberOfBytesWritten=0x26ef2a0*=0x101000, lpOverlapped=0x0) returned 1 [0272.207] GetProcessHeap () returned 0xa10000 [0272.207] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e2f020 | out: hHeap=0xa10000) returned 1 [0272.213] CloseHandle (hObject=0x260) returned 1 [0272.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0272.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0272.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0272.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0272.268] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.268] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.nefilim")) returned 1 [0272.269] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.269] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.269] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2=".") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="..") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="...") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="windows") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="rsa") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="ntldr") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="IO.SYS") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="boot.ini") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="desktop.ini") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="RECYCLER") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="bootmgr") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="programdata") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="appdata") returned 1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="program files") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="program files (x86)") returned -1 [0272.269] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="microsoft") returned 1 [0272.270] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="sophos") returned -1 [0272.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.270] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.270] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx") returned=".evtx" [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.270] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.270] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.270] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.271] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0272.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0272.271] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0272.271] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0272.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0272.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0272.271] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.275] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.277] GetTickCount () returned 0x118441b [0272.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.277] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.277] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.277] SetLastError (dwErrCode=0x0) [0272.277] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.279] GetLastError () returned 0x0 [0272.279] GetLastError () returned 0x0 [0272.279] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.279] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.279] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.279] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc89c7da8, dwHighDateTime=0x1d5fd73)) [0272.279] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.279] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.279] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.279] GetProcessHeap () returned 0xa10000 [0272.279] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.279] GetSystemDefaultLangID () returned 0xa20409 [0272.279] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.279] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.301] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.301] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.302] GetProcessHeap () returned 0xa10000 [0272.302] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.302] CloseHandle (hObject=0x260) returned 1 [0272.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0272.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0272.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0272.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0272.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.322] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.nefilim")) returned 1 [0272.323] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.323] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.323] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0272.323] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2=".") returned 1 [0272.323] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="..") returned 1 [0272.323] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="...") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="windows") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="rsa") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="NTDETECT.COM") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="ntldr") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="MSDOS.SYS") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="IO.SYS") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="boot.ini") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="ntuser.dat") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="desktop.ini") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="CONFIG.SYS") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="RECYCLER") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="bootmgr") returned 1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="programdata") returned -1 [0272.324] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="appdata") returned 1 [0272.325] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="program files") returned -1 [0272.325] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="program files (x86)") returned -1 [0272.325] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="microsoft") returned 1 [0272.325] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="sophos") returned -1 [0272.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.325] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned=".evtx" [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.325] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.326] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.326] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.326] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.326] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.326] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.326] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.326] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0272.326] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0272.326] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0272.326] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0272.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0272.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0272.327] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.328] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.330] GetTickCount () returned 0x118444a [0272.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.330] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.330] SetLastError (dwErrCode=0x0) [0272.330] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.332] GetLastError () returned 0x0 [0272.332] GetLastError () returned 0x0 [0272.332] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.332] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.332] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.332] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8a3a47b, dwHighDateTime=0x1d5fd73)) [0272.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.332] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.332] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.332] GetProcessHeap () returned 0xa10000 [0272.332] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.332] GetSystemDefaultLangID () returned 0xa20409 [0272.332] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.333] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.370] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.370] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.371] GetProcessHeap () returned 0xa10000 [0272.371] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.371] CloseHandle (hObject=0x260) returned 1 [0272.373] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0272.373] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0272.373] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0272.373] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0272.373] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.373] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.nefilim")) returned 1 [0272.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.374] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2=".") returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="..") returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="...") returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="windows") returned -1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="rsa") returned -1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="ntldr") returned -1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="IO.SYS") returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="boot.ini") returned 1 [0272.374] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="desktop.ini") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="RECYCLER") returned -1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="bootmgr") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="programdata") returned -1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="appdata") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="program files") returned -1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="program files (x86)") returned -1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="microsoft") returned 1 [0272.375] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="sophos") returned -1 [0272.375] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.375] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.375] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx") returned=".evtx" [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.375] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.376] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.376] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.376] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0272.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0272.376] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0272.376] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0272.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0272.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21720 [0272.376] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.378] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21720*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21720*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.379] GetTickCount () returned 0x1184479 [0272.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.379] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.379] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.379] SetLastError (dwErrCode=0x0) [0272.379] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.380] GetLastError () returned 0x0 [0272.380] GetLastError () returned 0x0 [0272.380] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.380] WriteFile (in: hFile=0x260, lpBuffer=0x2d21720*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21720*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.380] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.381] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8aaca5c, dwHighDateTime=0x1d5fd73)) [0272.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.381] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.381] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.381] GetProcessHeap () returned 0xa10000 [0272.381] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.381] GetSystemDefaultLangID () returned 0xa20409 [0272.381] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.381] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.399] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.399] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.400] GetProcessHeap () returned 0xa10000 [0272.400] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.400] CloseHandle (hObject=0x260) returned 1 [0272.436] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0272.436] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21720 | out: hHeap=0x28d0000) returned 1 [0272.436] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0272.436] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0272.436] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.436] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.nefilim")) returned 1 [0272.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.437] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2=".") returned 1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="..") returned 1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="...") returned 1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="windows") returned -1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="rsa") returned -1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="NTDETECT.COM") returned -1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="ntldr") returned -1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="MSDOS.SYS") returned -1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="IO.SYS") returned 1 [0272.437] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="boot.ini") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="ntuser.dat") returned -1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="desktop.ini") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="CONFIG.SYS") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="RECYCLER") returned -1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="bootmgr") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="programdata") returned -1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="appdata") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="program files") returned -1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="program files (x86)") returned -1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="microsoft") returned 1 [0272.438] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="sophos") returned -1 [0272.438] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.438] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.438] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned=".evtx" [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.438] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.439] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.439] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.439] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.439] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0272.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0272.440] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0272.440] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0272.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0272.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0272.440] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.442] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.444] GetTickCount () returned 0x11844b7 [0272.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.444] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.444] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.444] SetLastError (dwErrCode=0x0) [0272.444] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.445] GetLastError () returned 0x0 [0272.445] GetLastError () returned 0x0 [0272.445] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.445] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.445] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.445] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8b454f3, dwHighDateTime=0x1d5fd73)) [0272.445] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.445] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.445] GetProcessHeap () returned 0xa10000 [0272.446] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.446] GetSystemDefaultLangID () returned 0xa20409 [0272.446] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.446] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.480] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.480] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.481] GetProcessHeap () returned 0xa10000 [0272.481] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.481] CloseHandle (hObject=0x260) returned 1 [0272.495] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0272.495] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0272.495] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0272.495] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0272.495] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.495] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.nefilim")) returned 1 [0272.496] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.496] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.496] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2=".") returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="..") returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="...") returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="windows") returned -1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="rsa") returned -1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="ntldr") returned -1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="IO.SYS") returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="boot.ini") returned 1 [0272.496] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="desktop.ini") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="RECYCLER") returned -1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="bootmgr") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="programdata") returned -1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="appdata") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="program files") returned -1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="program files (x86)") returned -1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="microsoft") returned 1 [0272.497] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="sophos") returned -1 [0272.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.497] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx") returned=".evtx" [0272.497] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.497] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.498] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.499] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.499] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.499] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.499] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.499] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.499] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.499] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.499] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.499] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0272.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0272.499] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0272.499] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0272.500] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0272.500] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0272.500] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.501] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.503] GetTickCount () returned 0x11844f6 [0272.503] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.503] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.503] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.503] SetLastError (dwErrCode=0x0) [0272.503] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.505] GetLastError () returned 0x0 [0272.505] GetLastError () returned 0x0 [0272.505] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.505] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.505] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.505] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8be146b, dwHighDateTime=0x1d5fd73)) [0272.505] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.505] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.505] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.505] GetProcessHeap () returned 0xa10000 [0272.505] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.505] GetSystemDefaultLangID () returned 0xa20409 [0272.505] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.506] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.515] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.516] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.516] GetProcessHeap () returned 0xa10000 [0272.516] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.516] CloseHandle (hObject=0x260) returned 1 [0272.520] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0272.520] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0272.520] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0272.520] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0272.520] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.520] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.nefilim")) returned 1 [0272.521] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.521] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.521] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2=".") returned 1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="..") returned 1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="...") returned 1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="windows") returned -1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="rsa") returned -1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="NTDETECT.COM") returned -1 [0272.521] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="ntldr") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="MSDOS.SYS") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="IO.SYS") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="boot.ini") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="ntuser.dat") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="desktop.ini") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="CONFIG.SYS") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="RECYCLER") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="bootmgr") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="programdata") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="appdata") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="program files") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="program files (x86)") returned -1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="microsoft") returned 1 [0272.522] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="sophos") returned -1 [0272.522] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.522] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx") returned=".evtx" [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.522] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.523] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.523] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.523] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.535] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0272.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0272.535] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0272.535] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0272.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0272.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0272.535] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.537] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.538] GetTickCount () returned 0x1184515 [0272.538] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.538] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.538] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.538] SetLastError (dwErrCode=0x0) [0272.538] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.540] GetLastError () returned 0x0 [0272.540] GetLastError () returned 0x0 [0272.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.540] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.540] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8c2a2a6, dwHighDateTime=0x1d5fd73)) [0272.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.540] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.540] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.540] GetProcessHeap () returned 0xa10000 [0272.540] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.540] GetSystemDefaultLangID () returned 0xa20409 [0272.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.540] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.561] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.561] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.561] GetProcessHeap () returned 0xa10000 [0272.561] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.561] CloseHandle (hObject=0x260) returned 1 [0272.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0272.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0272.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0272.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0272.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.577] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.nefilim")) returned 1 [0272.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.578] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0272.578] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2=".") returned 1 [0272.578] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="..") returned 1 [0272.578] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="...") returned 1 [0272.578] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="windows") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="rsa") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="NTDETECT.COM") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="ntldr") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="MSDOS.SYS") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="IO.SYS") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="boot.ini") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="ntuser.dat") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="desktop.ini") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="CONFIG.SYS") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="RECYCLER") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="bootmgr") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="programdata") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="appdata") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="program files") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="program files (x86)") returned -1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="microsoft") returned 1 [0272.579] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="sophos") returned -1 [0272.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0272.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.579] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx") returned=".evtx" [0272.579] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.579] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.579] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.579] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.580] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.580] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1278 [0272.580] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.581] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0272.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0272.581] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0272.581] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0272.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21720 [0272.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0272.581] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21720*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21720*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.581] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.582] GetTickCount () returned 0x1184544 [0272.582] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12e0 [0272.582] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e0 | out: hHeap=0x28d0000) returned 1 [0272.582] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.582] SetLastError (dwErrCode=0x0) [0272.582] WriteFile (in: hFile=0x260, lpBuffer=0x2d21720*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21720*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.583] GetLastError () returned 0x0 [0272.583] GetLastError () returned 0x0 [0272.583] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.583] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.583] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.583] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8ca1a72, dwHighDateTime=0x1d5fd73)) [0272.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.584] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.584] GetProcessHeap () returned 0xa10000 [0272.584] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.584] GetSystemDefaultLangID () returned 0xa20409 [0272.584] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.584] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.603] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.603] GetProcessHeap () returned 0xa10000 [0272.603] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.603] CloseHandle (hObject=0x260) returned 1 [0272.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21720 | out: hHeap=0x28d0000) returned 1 [0272.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0272.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0272.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0272.608] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0272.608] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.nefilim")) returned 1 [0272.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0272.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.609] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2=".") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="..") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="...") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="windows") returned -1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="rsa") returned -1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="NTDETECT.COM") returned -1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="ntldr") returned -1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="MSDOS.SYS") returned -1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="IO.SYS") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="boot.ini") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="ntuser.dat") returned -1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="desktop.ini") returned 1 [0272.609] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="CONFIG.SYS") returned 1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="RECYCLER") returned -1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="bootmgr") returned 1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="programdata") returned -1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="appdata") returned 1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="program files") returned -1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="program files (x86)") returned -1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="microsoft") returned 1 [0272.610] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="sophos") returned -1 [0272.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.610] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.610] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned=".evtx" [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.610] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.611] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.611] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.611] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0272.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0272.611] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0272.611] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0272.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0272.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0272.611] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.612] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.613] GetTickCount () returned 0x1184563 [0272.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.613] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.613] SetLastError (dwErrCode=0x0) [0272.613] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.614] GetLastError () returned 0x0 [0272.614] GetLastError () returned 0x0 [0272.614] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.614] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.614] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.615] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc8cee5a0, dwHighDateTime=0x1d5fd73)) [0272.615] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.615] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.615] GetProcessHeap () returned 0xa10000 [0272.615] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.616] GetSystemDefaultLangID () returned 0xa20409 [0272.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.616] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.939] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.939] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.940] GetProcessHeap () returned 0xa10000 [0272.940] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.940] CloseHandle (hObject=0x260) returned 1 [0272.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0272.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0272.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0272.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0272.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.947] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.nefilim")) returned 1 [0272.948] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.948] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.948] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2=".") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="..") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="...") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="windows") returned -1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="rsa") returned -1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="ntldr") returned -1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="IO.SYS") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="boot.ini") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="desktop.ini") returned 1 [0272.948] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="RECYCLER") returned -1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="bootmgr") returned 1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="programdata") returned -1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="appdata") returned 1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="program files") returned -1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="program files (x86)") returned -1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="microsoft") returned 1 [0272.949] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="sophos") returned -1 [0272.949] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.949] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.949] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx") returned=".evtx" [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.949] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.950] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.950] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.950] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.950] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.950] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.950] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0272.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0272.950] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0272.950] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0272.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0272.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0272.950] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.953] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef244*=0x100) returned 1 [0272.959] GetTickCount () returned 0x11846bb [0272.959] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0272.959] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.959] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.959] SetLastError (dwErrCode=0x0) [0272.959] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.960] GetLastError () returned 0x0 [0272.960] GetLastError () returned 0x0 [0272.961] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.961] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0272.961] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.961] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9044cb0, dwHighDateTime=0x1d5fd73)) [0272.961] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0272.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0272.961] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0272.961] GetProcessHeap () returned 0xa10000 [0272.961] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0272.962] GetSystemDefaultLangID () returned 0xa20409 [0272.962] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.963] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0272.973] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0272.973] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0272.974] GetProcessHeap () returned 0xa10000 [0272.974] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0272.974] CloseHandle (hObject=0x260) returned 1 [0272.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0272.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0272.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0272.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0272.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0272.981] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.nefilim")) returned 1 [0272.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0272.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0272.983] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2=".") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="..") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="...") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="windows") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="rsa") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="NTDETECT.COM") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="ntldr") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="MSDOS.SYS") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="IO.SYS") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="boot.ini") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="ntuser.dat") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="desktop.ini") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="CONFIG.SYS") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="RECYCLER") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="BOOTSECT.BAK") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="bootmgr") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="programdata") returned -1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="appdata") returned 1 [0272.983] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="program files") returned -1 [0272.984] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="program files (x86)") returned -1 [0272.984] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="microsoft") returned 1 [0272.984] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="sophos") returned -1 [0272.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0272.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0272.984] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx") returned=".evtx" [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0272.984] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0272.984] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0272.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0272.985] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0272.985] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0272.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0272.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0272.985] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0272.985] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0272.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0272.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0272.985] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0272.998] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.001] GetTickCount () returned 0x11846da [0273.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.001] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.001] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.001] SetLastError (dwErrCode=0x0) [0273.001] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.003] GetLastError () returned 0x0 [0273.003] GetLastError () returned 0x0 [0273.003] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.003] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.003] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.003] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc90b339c, dwHighDateTime=0x1d5fd73)) [0273.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.003] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.003] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.004] GetProcessHeap () returned 0xa10000 [0273.004] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.005] GetSystemDefaultLangID () returned 0xa20409 [0273.005] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.005] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.012] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.012] GetProcessHeap () returned 0xa10000 [0273.012] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.012] CloseHandle (hObject=0x260) returned 1 [0273.019] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.019] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0273.019] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0273.019] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0273.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.019] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.nefilim")) returned 1 [0273.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.020] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0273.020] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2=".") returned 1 [0273.020] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="..") returned 1 [0273.020] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="...") returned 1 [0273.020] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="windows") returned -1 [0273.020] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.020] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="rsa") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="ntldr") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="programdata") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="appdata") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="program files") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="microsoft") returned 1 [0273.021] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="sophos") returned -1 [0273.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0273.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.021] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx") returned=".evtx" [0273.021] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.021] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.021] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.021] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.021] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.022] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.022] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0273.022] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.023] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0273.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.023] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0273.023] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0273.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0273.024] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.025] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.028] GetTickCount () returned 0x11846fa [0273.029] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.029] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.029] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.029] SetLastError (dwErrCode=0x0) [0273.029] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.030] GetLastError () returned 0x0 [0273.030] GetLastError () returned 0x0 [0273.030] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.030] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.030] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.030] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc90d9675, dwHighDateTime=0x1d5fd73)) [0273.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.031] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.031] GetProcessHeap () returned 0xa10000 [0273.031] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.032] GetSystemDefaultLangID () returned 0xa20409 [0273.032] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.032] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.052] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.054] GetProcessHeap () returned 0xa10000 [0273.054] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.054] CloseHandle (hObject=0x260) returned 1 [0273.058] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0273.058] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0273.059] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0273.059] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.059] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.nefilim")) returned 1 [0273.062] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.062] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.062] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0273.062] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2=".") returned 1 [0273.062] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="..") returned 1 [0273.063] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="...") returned 1 [0273.063] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="windows") returned -1 [0273.063] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.063] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="rsa") returned -1 [0273.063] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="NTDETECT.COM") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="ntldr") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="MSDOS.SYS") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="IO.SYS") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="boot.ini") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="ntuser.dat") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="desktop.ini") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="CONFIG.SYS") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="RECYCLER") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="bootmgr") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="programdata") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="appdata") returned 1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="program files") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="program files (x86)") returned -1 [0273.064] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="microsoft") returned 1 [0273.065] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="sophos") returned -1 [0273.065] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0273.065] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.065] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned=".evtx" [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.066] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.067] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.067] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.067] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.067] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.067] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.067] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0273.067] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.069] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0273.069] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.069] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0273.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0273.069] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.071] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.075] GetTickCount () returned 0x1184728 [0273.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.075] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.075] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.075] SetLastError (dwErrCode=0x0) [0273.076] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.077] GetLastError () returned 0x0 [0273.077] GetLastError () returned 0x0 [0273.077] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.077] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.077] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.077] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc914bb3a, dwHighDateTime=0x1d5fd73)) [0273.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.077] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.078] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.078] GetProcessHeap () returned 0xa10000 [0273.078] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.079] GetSystemDefaultLangID () returned 0xa20409 [0273.079] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.079] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.085] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.085] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.085] GetProcessHeap () returned 0xa10000 [0273.085] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.086] CloseHandle (hObject=0x260) returned 1 [0273.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0273.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0273.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0273.106] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.nefilim")) returned 1 [0273.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0273.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.107] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2=".") returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="..") returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="...") returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="windows") returned -1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="rsa") returned -1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="ntldr") returned -1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="IO.SYS") returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="boot.ini") returned 1 [0273.107] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="desktop.ini") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="RECYCLER") returned -1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="bootmgr") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="programdata") returned -1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="appdata") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="program files") returned -1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="program files (x86)") returned -1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="microsoft") returned 1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="sophos") returned -1 [0273.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbcc0 [0273.108] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.108] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned=".evtx" [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.108] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.108] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd68 [0273.109] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.109] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0273.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.109] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0273.109] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0273.109] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.111] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.114] GetTickCount () returned 0x1184757 [0273.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.114] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.114] SetLastError (dwErrCode=0x0) [0273.114] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.115] GetLastError () returned 0x0 [0273.115] GetLastError () returned 0x0 [0273.115] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.115] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.116] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.116] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc91be43f, dwHighDateTime=0x1d5fd73)) [0273.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.116] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.116] GetProcessHeap () returned 0xa10000 [0273.116] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.117] GetSystemDefaultLangID () returned 0xa20409 [0273.117] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.117] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.124] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.124] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.124] GetProcessHeap () returned 0xa10000 [0273.124] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.124] CloseHandle (hObject=0x260) returned 1 [0273.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0273.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0273.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0273.127] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.nefilim")) returned 1 [0273.128] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0273.128] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0273.128] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2=".") returned 1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="..") returned 1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="...") returned 1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="windows") returned -1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="rsa") returned -1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="ntldr") returned -1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.128] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="programdata") returned -1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="appdata") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="program files") returned -1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="microsoft") returned 1 [0273.129] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="sophos") returned -1 [0273.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbd68 [0273.129] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.129] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned=".evtx" [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.129] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.130] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.130] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.130] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.130] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.130] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.130] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.130] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe20 [0273.130] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.130] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0273.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.130] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0273.130] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0273.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0273.130] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.132] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.135] GetTickCount () returned 0x1184767 [0273.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.135] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.135] SetLastError (dwErrCode=0x0) [0273.135] WriteFile (in: hFile=0x260, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.136] GetLastError () returned 0x0 [0273.136] GetLastError () returned 0x0 [0273.136] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.136] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.136] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.136] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc91e4635, dwHighDateTime=0x1d5fd73)) [0273.136] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.137] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.137] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.137] GetProcessHeap () returned 0xa10000 [0273.137] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.138] GetSystemDefaultLangID () returned 0xa20409 [0273.138] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.138] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.145] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.145] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.146] GetProcessHeap () returned 0xa10000 [0273.146] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.146] CloseHandle (hObject=0x260) returned 1 [0273.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0273.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0273.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0273.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de318 [0273.153] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.nefilim")) returned 1 [0273.154] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0273.154] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe20 | out: hHeap=0x28d0000) returned 1 [0273.154] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2=".") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="..") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="...") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="windows") returned -1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="rsa") returned -1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="ntldr") returned -1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="IO.SYS") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="boot.ini") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0273.154] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="desktop.ini") returned 1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="RECYCLER") returned -1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="bootmgr") returned 1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="programdata") returned -1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="appdata") returned 1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="program files") returned -1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="program files (x86)") returned -1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="microsoft") returned 1 [0273.155] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="sophos") returned -1 [0273.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbcc0 [0273.155] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0273.155] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned=".evtx" [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.155] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.156] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.156] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.156] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.156] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.156] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.156] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd68 [0273.156] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.157] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0273.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.157] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0273.158] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0273.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.158] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.160] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.161] GetTickCount () returned 0x1184786 [0273.161] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.162] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.162] SetLastError (dwErrCode=0x0) [0273.162] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.163] GetLastError () returned 0x0 [0273.163] GetLastError () returned 0x0 [0273.163] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.163] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.163] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.163] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9230b18, dwHighDateTime=0x1d5fd73)) [0273.163] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.164] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.164] GetProcessHeap () returned 0xa10000 [0273.164] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.164] GetSystemDefaultLangID () returned 0xa20409 [0273.164] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.164] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.170] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.170] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.171] GetProcessHeap () returned 0xa10000 [0273.171] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.171] CloseHandle (hObject=0x260) returned 1 [0273.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0273.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0273.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0273.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.183] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0273.183] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.nefilim")) returned 1 [0273.184] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0273.184] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0273.184] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2=".") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="..") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="...") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="windows") returned -1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="rsa") returned -1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="ntldr") returned -1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.184] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="programdata") returned -1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="appdata") returned 1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="program files") returned -1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="microsoft") returned 1 [0273.185] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="sophos") returned -1 [0273.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbd68 [0273.185] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.185] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned=".evtx" [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.185] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.186] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.186] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.186] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.186] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.186] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe20 [0273.186] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.232] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.232] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.233] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0273.233] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.233] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0273.233] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0273.233] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.233] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.233] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.233] GetTickCount () returned 0x11847c5 [0273.234] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.234] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.234] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.234] SetLastError (dwErrCode=0x0) [0273.234] WriteFile (in: hFile=0x260, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.235] GetLastError () returned 0x0 [0273.235] GetLastError () returned 0x0 [0273.235] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.235] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.236] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.236] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc92c9255, dwHighDateTime=0x1d5fd73)) [0273.236] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.236] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.236] GetProcessHeap () returned 0xa10000 [0273.236] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.236] GetSystemDefaultLangID () returned 0xa20409 [0273.236] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.236] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.242] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.242] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.242] GetProcessHeap () returned 0xa10000 [0273.242] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.242] CloseHandle (hObject=0x260) returned 1 [0273.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0273.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0273.252] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de318 [0273.252] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.nefilim")) returned 1 [0273.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0273.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe20 | out: hHeap=0x28d0000) returned 1 [0273.253] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2=".") returned 1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="..") returned 1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="...") returned 1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="windows") returned -1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="rsa") returned -1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="ntldr") returned -1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.253] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="programdata") returned -1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="appdata") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="program files") returned -1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="microsoft") returned 1 [0273.254] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="sophos") returned -1 [0273.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0273.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0273.254] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx") returned=".evtx" [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.254] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.255] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.255] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0273.255] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.255] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0273.255] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.256] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0273.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0273.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.256] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.256] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.258] GetTickCount () returned 0x11847e4 [0273.258] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.258] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.258] SetLastError (dwErrCode=0x0) [0273.258] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.259] GetLastError () returned 0x0 [0273.259] GetLastError () returned 0x0 [0273.259] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.260] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.260] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.260] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9315a05, dwHighDateTime=0x1d5fd73)) [0273.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.260] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.260] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.260] GetProcessHeap () returned 0xa10000 [0273.260] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.261] GetSystemDefaultLangID () returned 0xa20409 [0273.261] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.261] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.278] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.279] GetProcessHeap () returned 0xa10000 [0273.279] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.279] CloseHandle (hObject=0x260) returned 1 [0273.289] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0273.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0273.290] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.290] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.nefilim")) returned 1 [0273.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.291] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2=".") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="..") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="...") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="windows") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="rsa") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="ntldr") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.291] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="programdata") returned -1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="appdata") returned 1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="program files") returned -1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="microsoft") returned 1 [0273.292] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="sophos") returned -1 [0273.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0273.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.292] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx") returned=".evtx" [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.292] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.293] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.293] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0273.293] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.293] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0273.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0273.293] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0273.293] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0273.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.293] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.295] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.298] GetTickCount () returned 0x1184803 [0273.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.298] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.298] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.298] SetLastError (dwErrCode=0x0) [0273.298] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.300] GetLastError () returned 0x0 [0273.300] GetLastError () returned 0x0 [0273.300] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.300] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.300] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.300] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc938804b, dwHighDateTime=0x1d5fd73)) [0273.300] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.300] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.300] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.300] GetProcessHeap () returned 0xa10000 [0273.300] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.302] GetSystemDefaultLangID () returned 0xa20409 [0273.302] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.302] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.308] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.308] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.309] GetProcessHeap () returned 0xa10000 [0273.309] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.309] CloseHandle (hObject=0x260) returned 1 [0273.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0273.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0273.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0273.316] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0273.317] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.nefilim")) returned 1 [0273.317] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0273.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.318] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2=".") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="..") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="...") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="windows") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="rsa") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="NTDETECT.COM") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="ntldr") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="MSDOS.SYS") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="IO.SYS") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="boot.ini") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="ntuser.dat") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="desktop.ini") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="CONFIG.SYS") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="RECYCLER") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="bootmgr") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="programdata") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="appdata") returned 1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="program files") returned -1 [0273.318] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="program files (x86)") returned -1 [0273.319] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="microsoft") returned 1 [0273.319] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="sophos") returned -1 [0273.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0273.319] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.319] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned=".evtx" [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.319] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.319] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0273.319] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.320] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0273.320] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.320] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0273.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0273.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0273.320] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.322] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.324] GetTickCount () returned 0x1184822 [0273.324] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.324] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.324] SetLastError (dwErrCode=0x0) [0273.324] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.325] GetLastError () returned 0x0 [0273.325] GetLastError () returned 0x0 [0273.325] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.325] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.325] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.325] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc93af257, dwHighDateTime=0x1d5fd73)) [0273.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.325] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.326] GetProcessHeap () returned 0xa10000 [0273.326] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.326] GetSystemDefaultLangID () returned 0xa20409 [0273.326] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.326] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.332] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.332] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.332] GetProcessHeap () returned 0xa10000 [0273.332] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.332] CloseHandle (hObject=0x260) returned 1 [0273.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0273.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0273.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0273.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.345] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.nefilim")) returned 1 [0273.347] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.347] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.347] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2=".") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="..") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="...") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="windows") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="rsa") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="NTDETECT.COM") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="ntldr") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="MSDOS.SYS") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="IO.SYS") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="boot.ini") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="ntuser.dat") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="desktop.ini") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="CONFIG.SYS") returned 1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="RECYCLER") returned -1 [0273.347] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="bootmgr") returned 1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="programdata") returned -1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="appdata") returned 1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="program files") returned -1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="program files (x86)") returned -1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="microsoft") returned 1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="sophos") returned -1 [0273.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0273.348] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.348] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned=".evtx" [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.348] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.348] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0273.349] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.349] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0273.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.349] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0273.349] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0273.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0273.349] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.351] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.353] GetTickCount () returned 0x1184842 [0273.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.353] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.353] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.353] SetLastError (dwErrCode=0x0) [0273.353] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.354] GetLastError () returned 0x0 [0273.354] GetLastError () returned 0x0 [0273.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.354] WriteFile (in: hFile=0x260, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.354] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc93fa786, dwHighDateTime=0x1d5fd73)) [0273.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.354] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.354] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.354] GetProcessHeap () returned 0xa10000 [0273.354] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.355] GetSystemDefaultLangID () returned 0xa20409 [0273.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.355] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.379] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.379] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.379] GetProcessHeap () returned 0xa10000 [0273.379] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.379] CloseHandle (hObject=0x260) returned 1 [0273.387] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0273.387] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0273.387] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0273.387] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.387] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.388] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.nefilim")) returned 1 [0273.389] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.389] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.389] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2=".") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="..") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="...") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="windows") returned -1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="rsa") returned -1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="ntldr") returned -1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.389] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="programdata") returned -1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="appdata") returned 1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="program files") returned -1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="microsoft") returned 1 [0273.390] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="sophos") returned -1 [0273.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0273.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.390] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned=".evtx" [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.390] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.391] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.391] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.391] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.391] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.391] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.391] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0273.391] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.393] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0273.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0273.393] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0273.393] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0273.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.393] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.395] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.397] GetTickCount () returned 0x1184871 [0273.397] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.397] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.397] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.397] SetLastError (dwErrCode=0x0) [0273.397] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.399] GetLastError () returned 0x0 [0273.399] GetLastError () returned 0x0 [0273.399] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.399] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.399] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.399] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc946cd3a, dwHighDateTime=0x1d5fd73)) [0273.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.399] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.399] GetProcessHeap () returned 0xa10000 [0273.399] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.400] GetSystemDefaultLangID () returned 0xa20409 [0273.400] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.400] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.406] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.406] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.406] GetProcessHeap () returned 0xa10000 [0273.406] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.407] CloseHandle (hObject=0x260) returned 1 [0273.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0273.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0273.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0273.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0273.457] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.nefilim")) returned 1 [0273.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0273.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.458] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0273.458] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2=".") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="..") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="...") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="windows") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="rsa") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="ntldr") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="programdata") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="appdata") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="program files") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="microsoft") returned 1 [0273.459] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="sophos") returned -1 [0273.459] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0273.459] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.460] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned=".evtx" [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.460] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.460] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0273.460] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.461] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0273.461] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.461] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0273.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0273.461] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.463] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.465] GetTickCount () returned 0x11848af [0273.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.465] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.465] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.465] SetLastError (dwErrCode=0x0) [0273.465] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.466] GetLastError () returned 0x0 [0273.466] GetLastError () returned 0x0 [0273.466] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.467] WriteFile (in: hFile=0x260, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.467] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9505cf4, dwHighDateTime=0x1d5fd73)) [0273.467] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.467] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.467] GetProcessHeap () returned 0xa10000 [0273.467] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.467] GetSystemDefaultLangID () returned 0xa20409 [0273.467] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.467] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.473] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.474] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.474] GetProcessHeap () returned 0xa10000 [0273.474] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.474] CloseHandle (hObject=0x260) returned 1 [0273.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0273.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0273.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0273.477] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.477] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.nefilim")) returned 1 [0273.478] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.478] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.478] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2=".") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="..") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="...") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="windows") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="rsa") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="ntldr") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="IO.SYS") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="boot.ini") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="desktop.ini") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="RECYCLER") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="bootmgr") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="programdata") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="appdata") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="program files") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="program files (x86)") returned -1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="microsoft") returned 1 [0273.479] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="sophos") returned -1 [0273.479] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0273.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.480] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx") returned=".evtx" [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.480] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.480] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0273.480] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.481] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.481] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0273.481] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.481] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0273.481] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.481] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.481] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0273.481] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.483] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.485] GetTickCount () returned 0x11848bf [0273.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.485] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.485] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.485] SetLastError (dwErrCode=0x0) [0273.485] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.486] GetLastError () returned 0x0 [0273.487] GetLastError () returned 0x0 [0273.487] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.487] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.487] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.487] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9551d67, dwHighDateTime=0x1d5fd73)) [0273.487] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.487] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.487] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.488] GetProcessHeap () returned 0xa10000 [0273.488] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.488] GetSystemDefaultLangID () returned 0xa20409 [0273.488] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.488] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.494] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.494] GetProcessHeap () returned 0xa10000 [0273.494] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.494] CloseHandle (hObject=0x260) returned 1 [0273.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0273.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0273.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0273.497] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0273.497] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.nefilim")) returned 1 [0273.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0273.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.499] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2=".") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="..") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="...") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="windows") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="rsa") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="NTDETECT.COM") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="ntldr") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="MSDOS.SYS") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="IO.SYS") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="boot.ini") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="ntuser.dat") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="desktop.ini") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="CONFIG.SYS") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="RECYCLER") returned -1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="bootmgr") returned 1 [0273.499] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="programdata") returned -1 [0273.500] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="appdata") returned 1 [0273.500] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="program files") returned -1 [0273.500] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="program files (x86)") returned -1 [0273.500] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="microsoft") returned 1 [0273.500] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="sophos") returned -1 [0273.500] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0273.500] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.500] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx") returned=".evtx" [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.500] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.501] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.501] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0273.501] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.501] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.501] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0273.501] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.501] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0273.501] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.501] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0273.501] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0273.501] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.503] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.505] GetTickCount () returned 0x11848de [0273.505] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.505] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.505] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.505] SetLastError (dwErrCode=0x0) [0273.506] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.507] GetLastError () returned 0x0 [0273.507] GetLastError () returned 0x0 [0273.507] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.507] WriteFile (in: hFile=0x260, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.507] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.507] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9577efe, dwHighDateTime=0x1d5fd73)) [0273.507] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.508] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.508] GetProcessHeap () returned 0xa10000 [0273.508] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.508] GetSystemDefaultLangID () returned 0xa20409 [0273.508] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.508] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.514] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.514] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.515] GetProcessHeap () returned 0xa10000 [0273.515] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.515] CloseHandle (hObject=0x260) returned 1 [0273.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0273.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0273.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0273.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0273.536] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.nefilim")) returned 1 [0273.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0273.537] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0273.537] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2=".") returned 1 [0273.537] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="..") returned 1 [0273.537] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="...") returned 1 [0273.537] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="windows") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="rsa") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="NTDETECT.COM") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="ntldr") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="MSDOS.SYS") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="IO.SYS") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="boot.ini") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="ntuser.dat") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="desktop.ini") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="CONFIG.SYS") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="RECYCLER") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="bootmgr") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="programdata") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="appdata") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="program files") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="program files (x86)") returned -1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="microsoft") returned 1 [0273.538] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="sophos") returned -1 [0273.538] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28dbd38 [0273.538] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0273.538] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned=".evtx" [0273.538] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.539] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.539] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.539] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28dbe00 [0273.539] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.540] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0273.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0273.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.540] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0273.540] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0273.540] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.542] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.544] GetTickCount () returned 0x11848fd [0273.544] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0273.544] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0273.544] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.544] SetLastError (dwErrCode=0x0) [0273.544] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.545] GetLastError () returned 0x0 [0273.545] GetLastError () returned 0x0 [0273.545] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.545] WriteFile (in: hFile=0x260, lpBuffer=0x2d20070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20070*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.545] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.546] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc95c82ed, dwHighDateTime=0x1d5fd73)) [0273.546] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.546] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.546] GetProcessHeap () returned 0xa10000 [0273.547] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0273.547] GetSystemDefaultLangID () returned 0xa20409 [0273.547] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.547] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0273.578] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.578] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0273.579] GetProcessHeap () returned 0xa10000 [0273.579] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0273.579] CloseHandle (hObject=0x260) returned 1 [0273.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0273.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20070 | out: hHeap=0x28d0000) returned 1 [0273.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0273.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0273.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de318 [0273.583] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.nefilim")) returned 1 [0273.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0273.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0273.584] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2=".") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="..") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="...") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="windows") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="$RECYCLE.BIN") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="rsa") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="NTDETECT.COM") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="ntldr") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="MSDOS.SYS") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="IO.SYS") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="boot.ini") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="ntuser.dat") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="desktop.ini") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="CONFIG.SYS") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="RECYCLER") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="BOOTSECT.BAK") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="bootmgr") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="programdata") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="appdata") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="program files") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="program files (x86)") returned -1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="microsoft") returned 1 [0273.585] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="sophos") returned -1 [0273.585] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe00 [0273.585] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0273.586] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned=".evtx" [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0273.586] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0273.586] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0273.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbcc0 [0273.586] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0273.587] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1052672) returned 1 [0273.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0273.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0273.587] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0273.587] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0273.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0273.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0273.587] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0273.588] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0273.588] GetTickCount () returned 0x118492c [0273.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0273.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.588] SetLastError (dwErrCode=0x0) [0273.589] WriteFile (in: hFile=0x260, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.590] GetLastError () returned 0x0 [0273.590] GetLastError () returned 0x0 [0273.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.590] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0273.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.590] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xc9636a6e, dwHighDateTime=0x1d5fd73)) [0273.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0273.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0273.590] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0273.590] GetProcessHeap () returned 0xa10000 [0273.590] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x101000) returned 0x2e27020 [0273.594] GetSystemDefaultLangID () returned 0xa20409 [0273.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.594] ReadFile (in: hFile=0x260, lpBuffer=0x2e27020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e27020*, lpNumberOfBytesRead=0x26ef2ac*=0x101000, lpOverlapped=0x0) returned 1 [0273.707] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0273.753] WriteFile (in: hFile=0x260, lpBuffer=0x2e27020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e27020*, lpNumberOfBytesWritten=0x26ef2a0*=0x101000, lpOverlapped=0x0) returned 1 [0273.758] GetProcessHeap () returned 0xa10000 [0273.782] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e27020 | out: hHeap=0xa10000) returned 1 [0273.959] CloseHandle (hObject=0x260) returned 1 [0274.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0274.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0274.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0274.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0274.103] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de318 [0274.159] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.nefilim")) returned 1 [0274.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0274.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0274.259] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2=".") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="..") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="...") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="windows") returned -1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="$RECYCLE.BIN") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="rsa") returned -1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="NTDETECT.COM") returned -1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="ntldr") returned -1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="MSDOS.SYS") returned -1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="IO.SYS") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="boot.ini") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0274.291] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="ntuser.dat") returned -1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="desktop.ini") returned 1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="CONFIG.SYS") returned 1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="RECYCLER") returned -1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="BOOTSECT.BAK") returned 1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="bootmgr") returned 1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="programdata") returned -1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="appdata") returned 1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="program files") returned -1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="program files (x86)") returned -1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="microsoft") returned 1 [0274.292] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="sophos") returned -1 [0274.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28d1278 [0274.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0274.326] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned=".evtx" [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0274.347] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0274.348] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0274.348] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0274.348] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0274.348] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0274.348] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0274.348] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0274.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0274.434] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0274.494] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0274.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0274.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0274.494] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0274.494] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0274.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0274.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0274.515] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef248*=0x100) returned 1 [0274.516] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ef244*=0x100) returned 1 [0274.611] GetTickCount () returned 0x1184d33 [0274.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0274.611] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0274.611] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0274.667] SetLastError (dwErrCode=0x0) [0274.751] WriteFile (in: hFile=0x260, lpBuffer=0x2d20598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20598*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0274.752] GetLastError () returned 0x0 [0274.906] GetLastError () returned 0x0 [0274.906] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.044] WriteFile (in: hFile=0x260, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.045] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.073] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xca46f782, dwHighDateTime=0x1d5fd73)) [0275.073] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0275.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.100] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.101] GetProcessHeap () returned 0xa10000 [0275.101] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0275.185] GetSystemDefaultLangID () returned 0xa20409 [0275.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.242] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0275.249] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.249] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0275.249] GetProcessHeap () returned 0xa10000 [0275.249] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0275.249] CloseHandle (hObject=0x260) returned 1 [0275.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20598 | out: hHeap=0x28d0000) returned 1 [0275.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0275.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0275.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0275.252] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd58 [0275.252] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.nefilim")) returned 1 [0275.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd58 | out: hHeap=0x28d0000) returned 1 [0275.253] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.253] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0275.253] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2=".") returned 1 [0275.253] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="..") returned 1 [0275.253] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="...") returned 1 [0275.253] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="windows") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="rsa") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="ntldr") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="IO.SYS") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="boot.ini") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="desktop.ini") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="RECYCLER") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="bootmgr") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="programdata") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="appdata") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="program files") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="program files (x86)") returned -1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="microsoft") returned 1 [0275.254] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="sophos") returned -1 [0275.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0275.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.254] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx") returned=".evtx" [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0275.255] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0275.255] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0275.255] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28d1278 [0275.255] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.256] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0275.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0275.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0275.256] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0275.256] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0275.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0275.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0275.256] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.257] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.259] GetTickCount () returned 0x1184fb4 [0275.259] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.260] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.260] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.260] SetLastError (dwErrCode=0x0) [0275.260] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.261] GetLastError () returned 0x0 [0275.261] GetLastError () returned 0x0 [0275.261] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.261] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.261] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.261] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xca62889c, dwHighDateTime=0x1d5fd73)) [0275.261] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0275.261] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.261] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.261] GetProcessHeap () returned 0xa10000 [0275.261] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0275.262] GetSystemDefaultLangID () returned 0xa20409 [0275.262] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.262] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0275.268] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.268] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0275.268] GetProcessHeap () returned 0xa10000 [0275.269] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0275.269] CloseHandle (hObject=0x260) returned 1 [0275.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0275.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0275.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0275.271] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0a8 | out: hHeap=0x28d0000) returned 1 [0275.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0275.271] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.nefilim")) returned 1 [0275.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0275.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.272] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0275.272] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2=".") returned 1 [0275.272] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="..") returned 1 [0275.272] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="...") returned 1 [0275.272] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="windows") returned -1 [0275.272] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0275.272] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="rsa") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="ntldr") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="IO.SYS") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="boot.ini") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="desktop.ini") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="RECYCLER") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="bootmgr") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="programdata") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="appdata") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="program files") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="program files (x86)") returned -1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="microsoft") returned 1 [0275.273] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="sophos") returned -1 [0275.273] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28d1278 [0275.273] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.273] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned=".evtx" [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0275.273] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0275.274] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0275.274] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0275.274] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0275.274] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0275.274] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0275.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbcc0 [0275.274] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.274] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1052672) returned 1 [0275.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0275.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0275.274] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0275.274] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0275.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0275.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0275.274] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.276] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.278] GetTickCount () returned 0x1184fc4 [0275.278] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.278] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.278] SetLastError (dwErrCode=0x0) [0275.278] WriteFile (in: hFile=0x260, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.279] GetLastError () returned 0x0 [0275.279] GetLastError () returned 0x0 [0275.279] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.280] WriteFile (in: hFile=0x260, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.280] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.280] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xca64e8c8, dwHighDateTime=0x1d5fd73)) [0275.280] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0275.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.280] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.280] GetProcessHeap () returned 0xa10000 [0275.280] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x101000) returned 0x2e28020 [0275.283] GetSystemDefaultLangID () returned 0xa20409 [0275.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.283] ReadFile (in: hFile=0x260, lpBuffer=0x2e28020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e28020*, lpNumberOfBytesRead=0x26ef2ac*=0x101000, lpOverlapped=0x0) returned 1 [0275.367] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.367] WriteFile (in: hFile=0x260, lpBuffer=0x2e28020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e28020*, lpNumberOfBytesWritten=0x26ef2a0*=0x101000, lpOverlapped=0x0) returned 1 [0275.370] GetProcessHeap () returned 0xa10000 [0275.370] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e28020 | out: hHeap=0xa10000) returned 1 [0275.377] CloseHandle (hObject=0x260) returned 1 [0275.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0275.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0275.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0275.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0275.403] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbd48 [0275.403] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.nefilim")) returned 1 [0275.405] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd48 | out: hHeap=0x28d0000) returned 1 [0275.405] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.405] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2=".") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="..") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="...") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="windows") returned -1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="rsa") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="NTDETECT.COM") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="ntldr") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="MSDOS.SYS") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="IO.SYS") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="boot.ini") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="ntuser.dat") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="desktop.ini") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="CONFIG.SYS") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="RECYCLER") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="BOOTSECT.BAK") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="bootmgr") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="programdata") returned 1 [0275.405] lstrcmpiW (lpString1="Security.evtx", lpString2="appdata") returned 1 [0275.406] lstrcmpiW (lpString1="Security.evtx", lpString2="program files") returned 1 [0275.406] lstrcmpiW (lpString1="Security.evtx", lpString2="program files (x86)") returned 1 [0275.406] lstrcmpiW (lpString1="Security.evtx", lpString2="microsoft") returned 1 [0275.406] lstrcmpiW (lpString1="Security.evtx", lpString2="sophos") returned -1 [0275.406] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.406] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.406] PathFindExtensionW (pszPath="Security.evtx") returned=".evtx" [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0275.406] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0275.406] lstrcmpiW (lpString1="Security.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0275.407] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.407] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1118208) returned 1 [0275.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0275.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0275.407] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0275.407] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0275.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0275.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21720 [0275.407] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.409] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21720*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21720*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.410] GetTickCount () returned 0x1185050 [0275.410] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0275.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.410] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.410] SetLastError (dwErrCode=0x0) [0275.410] WriteFile (in: hFile=0x260, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.411] GetLastError () returned 0x0 [0275.411] GetLastError () returned 0x0 [0275.411] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.411] WriteFile (in: hFile=0x260, lpBuffer=0x2d21720*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21720*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.412] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.412] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xca7a615b, dwHighDateTime=0x1d5fd73)) [0275.412] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12b0 [0275.412] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.412] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.412] GetProcessHeap () returned 0xa10000 [0275.412] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x111000) returned 0x2e24020 [0275.416] GetSystemDefaultLangID () returned 0xa20409 [0275.416] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.416] ReadFile (in: hFile=0x260, lpBuffer=0x2e24020, nNumberOfBytesToRead=0x111000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e24020*, lpNumberOfBytesRead=0x26ef2ac*=0x111000, lpOverlapped=0x0) returned 1 [0275.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.522] WriteFile (in: hFile=0x260, lpBuffer=0x2e24020*, nNumberOfBytesToWrite=0x111000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e24020*, lpNumberOfBytesWritten=0x26ef2a0*=0x111000, lpOverlapped=0x0) returned 1 [0275.526] GetProcessHeap () returned 0xa10000 [0275.526] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e24020 | out: hHeap=0xa10000) returned 1 [0275.533] CloseHandle (hObject=0x260) returned 1 [0275.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0275.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21720 | out: hHeap=0x28d0000) returned 1 [0275.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0275.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0275.555] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12b0 [0275.555] MoveFileW (lpExistingFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="C:\\Logs\\Security.evtx.NEFILIM" (normalized: "c:\\logs\\security.evtx.nefilim")) returned 1 [0275.556] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.556] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.556] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0275.556] lstrcmpiW (lpString1="Setup.evtx", lpString2=".") returned 1 [0275.556] lstrcmpiW (lpString1="Setup.evtx", lpString2="..") returned 1 [0275.556] lstrcmpiW (lpString1="Setup.evtx", lpString2="...") returned 1 [0275.556] lstrcmpiW (lpString1="Setup.evtx", lpString2="windows") returned -1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="$RECYCLE.BIN") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="rsa") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="NTDETECT.COM") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="ntldr") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="MSDOS.SYS") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="IO.SYS") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="boot.ini") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="ntuser.dat") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="desktop.ini") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="CONFIG.SYS") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="RECYCLER") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="BOOTSECT.BAK") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="bootmgr") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="programdata") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="appdata") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="program files") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="program files (x86)") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="microsoft") returned 1 [0275.557] lstrcmpiW (lpString1="Setup.evtx", lpString2="sophos") returned -1 [0275.557] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0275.557] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.557] PathFindExtensionW (pszPath="Setup.evtx") returned=".evtx" [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0275.558] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0275.558] lstrcmpiW (lpString1="Setup.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.558] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.559] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0275.559] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0275.559] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0275.559] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0275.559] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0275.559] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0275.559] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0275.559] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.561] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.562] GetTickCount () returned 0x11850dd [0275.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0275.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.562] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.562] SetLastError (dwErrCode=0x0) [0275.562] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.564] GetLastError () returned 0x0 [0275.564] GetLastError () returned 0x0 [0275.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.564] WriteFile (in: hFile=0x260, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.564] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xca907428, dwHighDateTime=0x1d5fd73)) [0275.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12b0 [0275.564] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.564] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.565] GetProcessHeap () returned 0xa10000 [0275.565] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0275.565] GetSystemDefaultLangID () returned 0xa20409 [0275.578] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.578] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0275.584] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.584] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0275.584] GetProcessHeap () returned 0xa10000 [0275.584] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0275.584] CloseHandle (hObject=0x260) returned 1 [0275.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0275.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0275.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de108 | out: hHeap=0x28d0000) returned 1 [0275.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0275.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12b0 [0275.587] MoveFileW (lpExistingFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="C:\\Logs\\Setup.evtx.NEFILIM" (normalized: "c:\\logs\\setup.evtx.nefilim")) returned 1 [0275.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.588] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2=".") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="..") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="...") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="windows") returned -1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="$RECYCLE.BIN") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="rsa") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="NTDETECT.COM") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="ntldr") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="MSDOS.SYS") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="IO.SYS") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="boot.ini") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="ntuser.dat") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="desktop.ini") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="CONFIG.SYS") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="RECYCLER") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="BOOTSECT.BAK") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="bootmgr") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="programdata") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="appdata") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="program files") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="program files (x86)") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="microsoft") returned 1 [0275.588] lstrcmpiW (lpString1="System.evtx", lpString2="sophos") returned 1 [0275.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.588] PathFindExtensionW (pszPath="System.evtx") returned=".evtx" [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0275.589] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0275.589] lstrcmpiW (lpString1="System.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.589] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0275.589] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.590] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1118208) returned 1 [0275.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0275.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0275.590] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0275.590] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0275.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0275.590] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0275.590] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.591] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.591] GetTickCount () returned 0x11850fc [0275.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0275.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.591] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.591] SetLastError (dwErrCode=0x0) [0275.591] WriteFile (in: hFile=0x260, lpBuffer=0x2d206a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d206a0*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.593] GetLastError () returned 0x0 [0275.593] GetLastError () returned 0x0 [0275.593] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.593] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.593] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.593] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xca9497b8, dwHighDateTime=0x1d5fd73)) [0275.593] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12b0 [0275.593] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.593] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.593] GetProcessHeap () returned 0xa10000 [0275.593] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x111000) returned 0x2e23020 [0275.597] GetSystemDefaultLangID () returned 0xa20409 [0275.597] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.597] ReadFile (in: hFile=0x260, lpBuffer=0x2e23020, nNumberOfBytesToRead=0x111000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0x2e23020*, lpNumberOfBytesRead=0x26ef2ac*=0x111000, lpOverlapped=0x0) returned 1 [0275.674] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.674] WriteFile (in: hFile=0x260, lpBuffer=0x2e23020*, nNumberOfBytesToWrite=0x111000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2e23020*, lpNumberOfBytesWritten=0x26ef2a0*=0x111000, lpOverlapped=0x0) returned 1 [0275.677] GetProcessHeap () returned 0xa10000 [0275.677] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0x2e23020 | out: hHeap=0xa10000) returned 1 [0275.683] CloseHandle (hObject=0x260) returned 1 [0275.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d206a0 | out: hHeap=0x28d0000) returned 1 [0275.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0275.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0275.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0275.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12b0 [0275.709] MoveFileW (lpExistingFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="C:\\Logs\\System.evtx.NEFILIM" (normalized: "c:\\logs\\system.evtx.nefilim")) returned 1 [0275.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.710] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2=".") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="..") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="...") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="windows") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="$RECYCLE.BIN") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="rsa") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="NTDETECT.COM") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="ntldr") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="MSDOS.SYS") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="IO.SYS") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="boot.ini") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="ntuser.dat") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="desktop.ini") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="CONFIG.SYS") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="RECYCLER") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="BOOTSECT.BAK") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="bootmgr") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="programdata") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="appdata") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="program files") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="program files (x86)") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="microsoft") returned 1 [0275.710] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="sophos") returned 1 [0275.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0275.710] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.710] PathFindExtensionW (pszPath="Windows PowerShell.evtx") returned=".evtx" [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0275.711] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0275.711] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.711] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0275.711] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.711] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=69632) returned 1 [0275.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0275.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0275.712] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0275.712] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0275.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0275.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0275.712] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.713] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.714] GetTickCount () returned 0x1185179 [0275.714] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12c0 [0275.714] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.714] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.715] SetLastError (dwErrCode=0x0) [0275.715] WriteFile (in: hFile=0x260, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.716] GetLastError () returned 0x0 [0275.716] GetLastError () returned 0x0 [0275.716] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.716] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.716] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.716] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xcaa809f2, dwHighDateTime=0x1d5fd73)) [0275.716] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0275.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.716] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.716] GetProcessHeap () returned 0xa10000 [0275.716] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11000) returned 0xa3b688 [0275.716] GetSystemDefaultLangID () returned 0xa20409 [0275.716] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.716] ReadFile (in: hFile=0x260, lpBuffer=0xa3b688, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesRead=0x26ef2ac*=0x11000, lpOverlapped=0x0) returned 1 [0275.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.721] WriteFile (in: hFile=0x260, lpBuffer=0xa3b688*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa3b688*, lpNumberOfBytesWritten=0x26ef2a0*=0x11000, lpOverlapped=0x0) returned 1 [0275.722] GetProcessHeap () returned 0xa10000 [0275.722] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3b688 | out: hHeap=0xa10000) returned 1 [0275.722] CloseHandle (hObject=0x260) returned 1 [0275.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0275.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0275.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0275.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0275.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0275.725] MoveFileW (lpExistingFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="C:\\Logs\\Windows PowerShell.evtx.NEFILIM" (normalized: "c:\\logs\\windows powershell.evtx.nefilim")) returned 1 [0275.726] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.726] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.726] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0275.777] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0275.777] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.777] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.777] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0275.777] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae1c80ac, ftCreationTime.dwHighDateTime=0x1d5fd73, ftLastAccessTime.dwLowDateTime=0xae1c80ac, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xae2d883b, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NEFILIM-DECRYPT.txt", cAlternateFileName="NEFILI~1.TXT")) returned 1 [0275.777] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2=".") returned 1 [0275.777] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="..") returned 1 [0275.777] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="...") returned 1 [0275.777] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="windows") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="$RECYCLE.BIN") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="rsa") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="NTDETECT.COM") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="ntldr") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="MSDOS.SYS") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="IO.SYS") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="boot.ini") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="AUTOEXEC.BAT") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="CONFIG.SYS") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="RECYCLER") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="BOOTSECT.BAK") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="bootmgr") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="programdata") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="appdata") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="program files") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="program files (x86)") returned -1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="microsoft") returned 1 [0275.778] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="sophos") returned -1 [0275.778] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0275.778] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0275.778] PathFindExtensionW (pszPath="NEFILIM-DECRYPT.txt") returned=".txt" [0275.778] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0275.779] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0275.779] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="NEFILIM-DECRYPT.txt") returned 0 [0275.779] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="...") returned 1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="$RECYCLE.BIN") returned 1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="rsa") returned -1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="NTDETECT.COM") returned 1 [0275.779] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntldr") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="MSDOS.SYS") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="IO.SYS") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="boot.ini") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="AUTOEXEC.BAT") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntuser.dat") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="desktop.ini") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="CONFIG.SYS") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="RECYCLER") returned -1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="BOOTSECT.BAK") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="bootmgr") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="programdata") returned -1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="appdata") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files") returned -1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files (x86)") returned -1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="microsoft") returned 1 [0275.780] lstrcmpiW (lpString1="pagefile.sys", lpString2="sophos") returned -1 [0275.780] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0275.780] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.780] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0275.780] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0275.780] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0275.780] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0275.780] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0275.780] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0275.780] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0275.781] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0275.781] lstrcmpiW (lpString1="pagefile.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0275.781] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0275.781] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26ef5a8 | out: lpFileSize=0x26ef5a8*=440599260887424) returned 0 [0275.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0a8 [0275.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de108 [0275.782] SystemFunction036 (in: RandomBuffer=0x28de0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0a8) returned 1 [0275.782] SystemFunction036 (in: RandomBuffer=0x28de108, RandomBufferLength=0x10 | out: RandomBuffer=0x28de108) returned 1 [0275.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21720 [0275.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20070 [0275.782] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21720*, pdwDataLen=0x26ef568*=0x10, dwBufLen=0x100 | out: pbData=0x2d21720*, pdwDataLen=0x26ef568*=0x100) returned 1 [0275.782] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20070*, pdwDataLen=0x26ef564*=0x10, dwBufLen=0x100 | out: pbData=0x2d20070*, pdwDataLen=0x26ef564*=0x100) returned 1 [0275.784] GetTickCount () returned 0x11851c7 [0275.784] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0275.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.784] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0275.784] SetLastError (dwErrCode=0x0) [0275.784] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d21720, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0) returned 0 [0275.784] GetLastError () returned 0x6 [0275.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0275.784] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="...") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="$RECYCLE.BIN") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="rsa") returned -1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="NTDETECT.COM") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="ntldr") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="MSDOS.SYS") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="IO.SYS") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="boot.ini") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="AUTOEXEC.BAT") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="ntuser.dat") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="desktop.ini") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="CONFIG.SYS") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="RECYCLER") returned -1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="BOOTSECT.BAK") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="bootmgr") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="programdata") returned -1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="appdata") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="program files") returned -1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="program files (x86)") returned -1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="microsoft") returned 1 [0275.785] lstrcmpiW (lpString1="PerfLogs", lpString2="sophos") returned -1 [0275.785] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0275.785] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0275.786] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0275.786] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d2330 [0275.786] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d14b8 [0275.786] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0275.788] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.788] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0275.788] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.788] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.789] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 0 [0275.789] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0275.789] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.789] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.789] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0275.789] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf35d9ada, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xf35d9ada, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0275.789] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="...") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="$RECYCLE.BIN") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="rsa") returned -1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="NTDETECT.COM") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="ntldr") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="MSDOS.SYS") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="IO.SYS") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="boot.ini") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="AUTOEXEC.BAT") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="ntuser.dat") returned 1 [0275.790] lstrcmpiW (lpString1="Program Files", lpString2="desktop.ini") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="CONFIG.SYS") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="RECYCLER") returned -1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="BOOTSECT.BAK") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="bootmgr") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="programdata") returned -1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="appdata") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files", lpString2="program files") returned 0 [0275.791] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0275.791] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files (x86)", lpString2="...") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files (x86)", lpString2="windows") returned -1 [0275.791] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$RECYCLE.BIN") returned 1 [0275.791] lstrcmpiW (lpString1="Program Files (x86)", lpString2="rsa") returned -1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="NTDETECT.COM") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntldr") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="MSDOS.SYS") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="IO.SYS") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="boot.ini") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="AUTOEXEC.BAT") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntuser.dat") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="desktop.ini") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="CONFIG.SYS") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="RECYCLER") returned -1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="BOOTSECT.BAK") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="bootmgr") returned 1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="programdata") returned -1 [0275.792] lstrcmpiW (lpString1="Program Files (x86)", lpString2="appdata") returned 1 [0275.793] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files") returned 1 [0275.793] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files (x86)") returned 0 [0275.793] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="...") returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="windows") returned -1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="$RECYCLE.BIN") returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="rsa") returned -1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="NTDETECT.COM") returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="ntldr") returned 1 [0275.793] lstrcmpiW (lpString1="ProgramData", lpString2="MSDOS.SYS") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="IO.SYS") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="boot.ini") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="AUTOEXEC.BAT") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="ntuser.dat") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="desktop.ini") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="CONFIG.SYS") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="RECYCLER") returned -1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="BOOTSECT.BAK") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="bootmgr") returned 1 [0275.794] lstrcmpiW (lpString1="ProgramData", lpString2="programdata") returned 0 [0275.794] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0275.794] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0275.794] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0275.794] lstrcmpiW (lpString1="Recovery", lpString2="...") returned 1 [0275.794] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="$RECYCLE.BIN") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="rsa") returned -1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="NTDETECT.COM") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="ntldr") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="MSDOS.SYS") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="IO.SYS") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="boot.ini") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="AUTOEXEC.BAT") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="ntuser.dat") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="desktop.ini") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="CONFIG.SYS") returned 1 [0275.795] lstrcmpiW (lpString1="Recovery", lpString2="RECYCLER") returned -1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="BOOTSECT.BAK") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="programdata") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="appdata") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="program files") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="program files (x86)") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="microsoft") returned 1 [0275.796] lstrcmpiW (lpString1="Recovery", lpString2="sophos") returned -1 [0275.796] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0275.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0275.797] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0275.797] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d2330 [0275.797] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d14b8 [0275.797] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f220 [0275.800] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.800] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0275.800] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.800] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.800] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName="Logs", cAlternateFileName="")) returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0275.801] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0275.802] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0275.803] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0275.803] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0275.803] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0275.803] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0275.803] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0275.803] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.803] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.803] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0275.803] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0275.803] FindFirstFileW (in: lpFileName="C:\\Recovery\\Logs\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0275.804] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.804] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.806] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.806] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.806] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0275.806] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0275.807] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.807] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0275.807] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.807] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1044dfc5, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName="ReAgentOld.xml", cAlternateFileName="REAGEN~1.XML")) returned 1 [0275.807] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2=".") returned 1 [0275.807] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="..") returned 1 [0275.807] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="...") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="windows") returned -1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="$RECYCLE.BIN") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="rsa") returned -1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="NTDETECT.COM") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="ntldr") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="MSDOS.SYS") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="IO.SYS") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="boot.ini") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="AUTOEXEC.BAT") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="ntuser.dat") returned 1 [0275.808] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="desktop.ini") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="CONFIG.SYS") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="RECYCLER") returned -1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="BOOTSECT.BAK") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="bootmgr") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="programdata") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="appdata") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="program files") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="program files (x86)") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="microsoft") returned 1 [0275.809] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="sophos") returned -1 [0275.809] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0275.809] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.809] PathFindExtensionW (pszPath="ReAgentOld.xml") returned=".xml" [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0275.810] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0275.811] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0275.811] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0275.811] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.811] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0275.811] CreateFileW (lpFileName="C:\\Recovery\\ReAgentOld.xml" (normalized: "c:\\recovery\\reagentold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0275.812] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x26ef288 | out: lpFileSize=0x26ef288*=1006) returned 1 [0275.812] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de120 [0275.812] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0275.813] SystemFunction036 (in: RandomBuffer=0x28de120, RandomBufferLength=0x10 | out: RandomBuffer=0x28de120) returned 1 [0275.813] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0275.813] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0275.813] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0275.813] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ef248*=0x100) returned 1 [0275.818] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ef244*=0x100) returned 1 [0275.820] GetTickCount () returned 0x11851e6 [0275.820] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12c0 [0275.820] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.820] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.820] SetLastError (dwErrCode=0x0) [0275.820] WriteFile (in: hFile=0x260, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.822] GetLastError () returned 0x0 [0275.822] GetLastError () returned 0x0 [0275.822] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.822] WriteFile (in: hFile=0x260, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ef2a0*=0x100, lpOverlapped=0x0) returned 1 [0275.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.823] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ef25c | out: lpSystemTimeAsFileTime=0x26ef25c*(dwLowDateTime=0xcab85944, dwHighDateTime=0x1d5fd73)) [0275.823] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0275.823] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.823] WriteFile (in: hFile=0x260, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ef2a0*=0x7, lpOverlapped=0x0) returned 1 [0275.823] GetProcessHeap () returned 0xa10000 [0275.823] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3ee) returned 0xa34b88 [0275.823] GetSystemDefaultLangID () returned 0xa20409 [0275.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.823] ReadFile (in: hFile=0x260, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x3ee, lpNumberOfBytesRead=0x26ef2ac, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ef2ac*=0x3ee, lpOverlapped=0x0) returned 1 [0275.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.823] WriteFile (in: hFile=0x260, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x3ee, lpNumberOfBytesWritten=0x26ef2a0, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ef2a0*=0x3ee, lpOverlapped=0x0) returned 1 [0275.823] GetProcessHeap () returned 0xa10000 [0275.823] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0275.823] CloseHandle (hObject=0x260) returned 1 [0275.825] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0275.825] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0275.825] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de120 | out: hHeap=0x28d0000) returned 1 [0275.825] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddf88 | out: hHeap=0x28d0000) returned 1 [0275.825] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0275.825] MoveFileW (lpExistingFileName="C:\\Recovery\\ReAgentOld.xml" (normalized: "c:\\recovery\\reagentold.xml"), lpNewFileName="C:\\Recovery\\ReAgentOld.xml.NEFILIM" (normalized: "c:\\recovery\\reagentold.xml.nefilim")) returned 1 [0275.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.826] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1044dfc5, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0x28d1478, dwReserved1=0x9, cFileName="ReAgentOld.xml", cAlternateFileName="REAGEN~1.XML")) returned 0 [0275.826] FindClose (in: hFindFile=0xa2f220 | out: hFindFile=0xa2f220) returned 1 [0275.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0275.826] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0275.826] lstrcmpiW (lpString1="swapfile.sys", lpString2=".") returned 1 [0275.826] lstrcmpiW (lpString1="swapfile.sys", lpString2="..") returned 1 [0275.826] lstrcmpiW (lpString1="swapfile.sys", lpString2="...") returned 1 [0275.826] lstrcmpiW (lpString1="swapfile.sys", lpString2="windows") returned -1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="$RECYCLE.BIN") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="rsa") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="NTDETECT.COM") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="ntldr") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="MSDOS.SYS") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="IO.SYS") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="boot.ini") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="AUTOEXEC.BAT") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="ntuser.dat") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="desktop.ini") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="CONFIG.SYS") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="RECYCLER") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="BOOTSECT.BAK") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="bootmgr") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="programdata") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="appdata") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="program files") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="program files (x86)") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="microsoft") returned 1 [0275.827] lstrcmpiW (lpString1="swapfile.sys", lpString2="sophos") returned 1 [0275.827] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0275.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0275.827] PathFindExtensionW (pszPath="swapfile.sys") returned=".sys" [0275.827] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0275.827] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0275.828] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0275.828] lstrcmpiW (lpString1="swapfile.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0275.828] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0275.828] CreateFileW (lpFileName="C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0275.828] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26ef5a8 | out: lpFileSize=0x26ef5a8*=440599260887424) returned 0 [0275.828] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de120 [0275.829] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddf88 [0275.829] SystemFunction036 (in: RandomBuffer=0x28de120, RandomBufferLength=0x10 | out: RandomBuffer=0x28de120) returned 1 [0275.829] SystemFunction036 (in: RandomBuffer=0x28ddf88, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddf88) returned 1 [0275.829] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20598 [0275.829] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d206a0 [0275.829] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20598*, pdwDataLen=0x26ef568*=0x10, dwBufLen=0x100 | out: pbData=0x2d20598*, pdwDataLen=0x26ef568*=0x100) returned 1 [0275.829] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d206a0*, pdwDataLen=0x26ef564*=0x10, dwBufLen=0x100 | out: pbData=0x2d206a0*, pdwDataLen=0x26ef564*=0x100) returned 1 [0275.831] GetTickCount () returned 0x11851f6 [0275.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d2330 [0275.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.831] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0275.831] SetLastError (dwErrCode=0x0) [0275.831] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20598, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26ef5c0, lpOverlapped=0x0) returned 0 [0275.831] GetLastError () returned 0x6 [0275.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0275.832] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="...") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="$RECYCLE.BIN") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="rsa") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="NTDETECT.COM") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="ntldr") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="MSDOS.SYS") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="IO.SYS") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="boot.ini") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="AUTOEXEC.BAT") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="ntuser.dat") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="desktop.ini") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="CONFIG.SYS") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="RECYCLER") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="BOOTSECT.BAK") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="programdata") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="appdata") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="program files") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="program files (x86)") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="microsoft") returned 1 [0275.832] lstrcmpiW (lpString1="System Volume Information", lpString2="sophos") returned 1 [0275.832] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0275.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0275.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0275.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0275.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0275.833] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x28d00c0, ftCreationTime.dwLowDateTime=0x28d0284, ftCreationTime.dwHighDateTime=0xe3358f2e, ftLastAccessTime.dwLowDateTime=0xb41369e9, ftLastAccessTime.dwHighDateTime=0x14000014, ftLastWriteTime.dwLowDateTime=0x779b15ca, ftLastWriteTime.dwHighDateTime=0xfcbf0d31, nFileSizeHigh=0x28d0000, nFileSizeLow=0x9000009, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="", cAlternateFileName="ɮ⊺\x01ᒸʍ⌰ʍ:")) returned 0xffffffff [0275.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0275.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0275.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.833] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="...") returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="windows") returned -1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="$RECYCLE.BIN") returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="rsa") returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="NTDETECT.COM") returned 1 [0275.833] lstrcmpiW (lpString1="Users", lpString2="ntldr") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="MSDOS.SYS") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="IO.SYS") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="boot.ini") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="AUTOEXEC.BAT") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="ntuser.dat") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="desktop.ini") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="CONFIG.SYS") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="RECYCLER") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="BOOTSECT.BAK") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="bootmgr") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="programdata") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="appdata") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="program files") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="program files (x86)") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="microsoft") returned 1 [0275.834] lstrcmpiW (lpString1="Users", lpString2="sophos") returned 1 [0275.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d1478 [0275.834] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0275.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d20d8 [0275.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d2330 [0275.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d14b8 [0275.834] FindFirstFileW (in: lpFileName="C:\\Users\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0275.835] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.835] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28d20d8, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0275.835] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.835] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.835] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x9, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="...") returned 1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="$RECYCLE.BIN") returned 1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="rsa") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="NTDETECT.COM") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="ntldr") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="MSDOS.SYS") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="IO.SYS") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="boot.ini") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="AUTOEXEC.BAT") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="ntuser.dat") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="desktop.ini") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="CONFIG.SYS") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="RECYCLER") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="BOOTSECT.BAK") returned -1 [0275.835] lstrcmpiW (lpString1="All Users", lpString2="bootmgr") returned -1 [0275.836] lstrcmpiW (lpString1="All Users", lpString2="programdata") returned -1 [0275.836] lstrcmpiW (lpString1="All Users", lpString2="appdata") returned -1 [0275.836] lstrcmpiW (lpString1="All Users", lpString2="program files") returned -1 [0275.836] lstrcmpiW (lpString1="All Users", lpString2="program files (x86)") returned -1 [0275.836] lstrcmpiW (lpString1="All Users", lpString2="microsoft") returned -1 [0275.836] lstrcmpiW (lpString1="All Users", lpString2="sophos") returned -1 [0275.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0275.836] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0275.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0275.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0275.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0275.836] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f4a0 [0275.837] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.837] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.838] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.838] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.838] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="...") returned 1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="$RECYCLE.BIN") returned 1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="rsa") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="NTDETECT.COM") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="ntldr") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="MSDOS.SYS") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="IO.SYS") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="boot.ini") returned -1 [0275.838] lstrcmpiW (lpString1="Adobe", lpString2="AUTOEXEC.BAT") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="ntuser.dat") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="desktop.ini") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="CONFIG.SYS") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="RECYCLER") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="BOOTSECT.BAK") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="programdata") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="appdata") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="program files") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="program files (x86)") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="microsoft") returned -1 [0275.839] lstrcmpiW (lpString1="Adobe", lpString2="sophos") returned -1 [0275.839] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcf8 [0275.839] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.839] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd40 [0275.839] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd88 [0275.839] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdd0 [0275.839] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0275.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.840] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.840] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2=".") returned 1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="..") returned 1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="...") returned 1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="windows") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="$RECYCLE.BIN") returned 1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="rsa") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="NTDETECT.COM") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="ntldr") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="MSDOS.SYS") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="IO.SYS") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="boot.ini") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="AUTOEXEC.BAT") returned -1 [0275.840] lstrcmpiW (lpString1="ARM", lpString2="ntuser.dat") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="desktop.ini") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="CONFIG.SYS") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="RECYCLER") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="BOOTSECT.BAK") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="bootmgr") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="programdata") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="appdata") returned 1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="program files") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="program files (x86)") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="microsoft") returned -1 [0275.841] lstrcmpiW (lpString1="ARM", lpString2="sophos") returned -1 [0275.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe18 [0275.841] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd0 | out: hHeap=0x28d0000) returned 1 [0275.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdd0 [0275.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe60 [0275.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbea8 [0275.841] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0275.844] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.844] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.844] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.844] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.844] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_15.007.20033", cAlternateFileName="READER~1.200")) returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2=".") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="..") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="...") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="windows") returned -1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="$RECYCLE.BIN") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="rsa") returned -1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="NTDETECT.COM") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="ntldr") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="MSDOS.SYS") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="IO.SYS") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="boot.ini") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="AUTOEXEC.BAT") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="ntuser.dat") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="desktop.ini") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="CONFIG.SYS") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="RECYCLER") returned -1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="BOOTSECT.BAK") returned 1 [0275.844] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="bootmgr") returned 1 [0275.845] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="programdata") returned 1 [0275.845] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="appdata") returned 1 [0275.845] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="program files") returned 1 [0275.845] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="program files (x86)") returned 1 [0275.845] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="microsoft") returned 1 [0275.845] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="sophos") returned -1 [0275.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0275.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea8 | out: hHeap=0x28d0000) returned 1 [0275.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de390 [0275.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de408 [0275.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de480 [0275.845] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0275.847] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.847] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.847] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0275.847] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0275.847] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de480 | out: hHeap=0x28d0000) returned 1 [0275.848] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0275.848] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0275.848] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xa7140105, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_15.023.20070", cAlternateFileName="READER~2.200")) returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2=".") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="..") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="...") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="windows") returned -1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="$RECYCLE.BIN") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="rsa") returned -1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="NTDETECT.COM") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="ntldr") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="MSDOS.SYS") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="IO.SYS") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="boot.ini") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="AUTOEXEC.BAT") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="ntuser.dat") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="desktop.ini") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="CONFIG.SYS") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="RECYCLER") returned -1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="BOOTSECT.BAK") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="bootmgr") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="programdata") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="appdata") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="program files") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="program files (x86)") returned 1 [0275.848] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="microsoft") returned 1 [0275.849] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="sophos") returned -1 [0275.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de390 [0275.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0275.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0275.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de408 [0275.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de480 [0275.849] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0275.849] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.849] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.849] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.849] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.849] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0275.850] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0275.850] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de480 | out: hHeap=0x28d0000) returned 1 [0275.850] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0275.850] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0275.850] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S", cAlternateFileName="")) returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2=".") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="..") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="...") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="windows") returned -1 [0275.850] lstrcmpiW (lpString1="S", lpString2="$RECYCLE.BIN") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="rsa") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="NTDETECT.COM") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="ntldr") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="MSDOS.SYS") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="IO.SYS") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="boot.ini") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="AUTOEXEC.BAT") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="ntuser.dat") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="desktop.ini") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="CONFIG.SYS") returned 1 [0275.850] lstrcmpiW (lpString1="S", lpString2="RECYCLER") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="BOOTSECT.BAK") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="bootmgr") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="programdata") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="appdata") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="program files") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="program files (x86)") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="microsoft") returned 1 [0275.851] lstrcmpiW (lpString1="S", lpString2="sophos") returned -1 [0275.851] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea8 [0275.851] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0275.851] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de318 [0275.851] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de360 [0275.851] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de3a8 [0275.851] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\S\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0275.851] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.851] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.852] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0275.852] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0275.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a8 | out: hHeap=0x28d0000) returned 1 [0275.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de360 | out: hHeap=0x28d0000) returned 1 [0275.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0275.852] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S", cAlternateFileName="")) returned 0 [0275.852] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0275.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea8 | out: hHeap=0x28d0000) returned 1 [0275.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0275.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd0 | out: hHeap=0x28d0000) returned 1 [0275.852] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0 [0275.852] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0275.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0275.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0275.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0275.854] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0275.854] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="microsoft") returned -1 [0275.855] lstrcmpiW (lpString1="Application Data", lpString2="sophos") returned -1 [0275.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd40 [0275.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0275.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0275.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0275.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0275.855] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Application Data\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x2e00002e, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뵀ʍH")) returned 0xffffffff [0275.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0275.856] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0275.856] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.856] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2=".") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="..") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="...") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="windows") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="$RECYCLE.BIN") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="rsa") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="NTDETECT.COM") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="ntldr") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="MSDOS.SYS") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="IO.SYS") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="boot.ini") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="AUTOEXEC.BAT") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="ntuser.dat") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="desktop.ini") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="CONFIG.SYS") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="RECYCLER") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="BOOTSECT.BAK") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="bootmgr") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="programdata") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="appdata") returned 1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="program files") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="program files (x86)") returned -1 [0275.856] lstrcmpiW (lpString1="Comms", lpString2="microsoft") returned -1 [0275.857] lstrcmpiW (lpString1="Comms", lpString2="sophos") returned -1 [0275.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0275.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0275.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0275.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0275.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0275.857] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Comms\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f220 [0275.858] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.858] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.859] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.859] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.859] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0275.859] FindClose (in: hFindFile=0xa2f220 | out: hFindFile=0xa2f220) returned 1 [0275.887] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0275.887] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0275.887] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0275.887] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0275.887] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0275.888] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0275.888] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0275.888] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0275.888] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0275.888] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0275.888] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0275.888] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0275.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.888] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0275.888] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0275.888] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0275.888] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x37000037, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ봈ʍ6")) returned 0xffffffff [0275.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0275.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0275.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.889] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0275.889] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0275.890] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0275.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0275.890] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0275.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0275.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0275.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0275.890] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x9b00019a, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x37000037, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x37000037, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01봈ʍ변ʍ:")) returned 0xffffffff [0275.890] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0275.890] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0275.890] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0275.890] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2="...") returned 1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2="$RECYCLE.BIN") returned 1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2="rsa") returned -1 [0275.890] lstrcmpiW (lpString1="Microsoft", lpString2="NTDETECT.COM") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="ntldr") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="MSDOS.SYS") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="IO.SYS") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="boot.ini") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="AUTOEXEC.BAT") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="ntuser.dat") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="desktop.ini") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="CONFIG.SYS") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="RECYCLER") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="BOOTSECT.BAK") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="programdata") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="appdata") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="program files") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="program files (x86)") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft", lpString2="microsoft") returned 0 [0275.891] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2=".") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="..") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="...") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="windows") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="$RECYCLE.BIN") returned 1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="rsa") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="NTDETECT.COM") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="ntldr") returned -1 [0275.891] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="MSDOS.SYS") returned -1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="IO.SYS") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="boot.ini") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="AUTOEXEC.BAT") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="ntuser.dat") returned -1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="desktop.ini") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="CONFIG.SYS") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="RECYCLER") returned -1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="BOOTSECT.BAK") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="bootmgr") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="programdata") returned -1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="appdata") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="program files") returned -1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="program files (x86)") returned -1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="microsoft") returned 1 [0275.892] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="sophos") returned -1 [0275.892] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd08 [0275.892] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0275.892] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd60 [0275.892] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdb8 [0275.892] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe10 [0275.892] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0275.894] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.894] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.894] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.894] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.894] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2=".") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="..") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="...") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="windows") returned -1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="$RECYCLE.BIN") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="rsa") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="NTDETECT.COM") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="ntldr") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="MSDOS.SYS") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="IO.SYS") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="boot.ini") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="AUTOEXEC.BAT") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="ntuser.dat") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="desktop.ini") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="CONFIG.SYS") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="RECYCLER") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="BOOTSECT.BAK") returned 1 [0275.894] lstrcmpiW (lpString1="setup", lpString2="bootmgr") returned 1 [0275.895] lstrcmpiW (lpString1="setup", lpString2="programdata") returned 1 [0275.895] lstrcmpiW (lpString1="setup", lpString2="appdata") returned 1 [0275.895] lstrcmpiW (lpString1="setup", lpString2="program files") returned 1 [0275.895] lstrcmpiW (lpString1="setup", lpString2="program files (x86)") returned 1 [0275.895] lstrcmpiW (lpString1="setup", lpString2="microsoft") returned 1 [0275.895] lstrcmpiW (lpString1="setup", lpString2="sophos") returned -1 [0275.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe78 [0275.895] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0275.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe10 [0275.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de318 [0275.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de380 [0275.895] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f960 [0275.895] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.895] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.895] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.895] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.895] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2=".") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="..") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="...") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="windows") returned -1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="$RECYCLE.BIN") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="rsa") returned -1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="NTDETECT.COM") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="ntldr") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="MSDOS.SYS") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="IO.SYS") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="boot.ini") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="AUTOEXEC.BAT") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="ntuser.dat") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="desktop.ini") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="CONFIG.SYS") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="RECYCLER") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="BOOTSECT.BAK") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="bootmgr") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="programdata") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="appdata") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="program files") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="program files (x86)") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="microsoft") returned 1 [0275.896] lstrcmpiW (lpString1="refcount.ini", lpString2="sophos") returned -1 [0275.896] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3e8 [0275.896] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de380 | out: hHeap=0x28d0000) returned 1 [0275.897] PathFindExtensionW (pszPath="refcount.ini") returned=".ini" [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0275.897] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0275.897] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 0 [0275.897] FindClose (in: hFindFile=0xa2f960 | out: hFindFile=0xa2f960) returned 1 [0275.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3e8 | out: hHeap=0x28d0000) returned 1 [0275.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0275.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0275.897] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 0 [0275.897] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0275.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe78 | out: hHeap=0x28d0000) returned 1 [0275.898] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb8 | out: hHeap=0x28d0000) returned 1 [0275.898] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd60 | out: hHeap=0x28d0000) returned 1 [0275.898] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2=".") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="..") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="...") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="windows") returned -1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="$RECYCLE.BIN") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="rsa") returned -1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="NTDETECT.COM") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="ntldr") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="MSDOS.SYS") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="IO.SYS") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="boot.ini") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="AUTOEXEC.BAT") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="ntuser.dat") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="desktop.ini") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="CONFIG.SYS") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="RECYCLER") returned -1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="BOOTSECT.BAK") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="bootmgr") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="programdata") returned -1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="appdata") returned 1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="program files") returned -1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="program files (x86)") returned -1 [0275.898] lstrcmpiW (lpString1="Oracle", lpString2="microsoft") returned 1 [0275.899] lstrcmpiW (lpString1="Oracle", lpString2="sophos") returned -1 [0275.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0275.899] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0275.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0275.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0275.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0275.899] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0275.899] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.899] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.900] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.900] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.900] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="...") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="$RECYCLE.BIN") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="rsa") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="NTDETECT.COM") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="ntldr") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="MSDOS.SYS") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="IO.SYS") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="boot.ini") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="AUTOEXEC.BAT") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="ntuser.dat") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="desktop.ini") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="CONFIG.SYS") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="RECYCLER") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="BOOTSECT.BAK") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="programdata") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="appdata") returned 1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="program files") returned -1 [0275.900] lstrcmpiW (lpString1="Java", lpString2="program files (x86)") returned -1 [0275.901] lstrcmpiW (lpString1="Java", lpString2="microsoft") returned -1 [0275.901] lstrcmpiW (lpString1="Java", lpString2="sophos") returned -1 [0275.901] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbde0 [0275.901] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0275.901] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0275.901] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe28 [0275.901] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe70 [0275.901] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0275.902] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.902] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.902] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.902] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.902] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".oracle_jre_usage", cAlternateFileName="ORACLE~1")) returned 1 [0275.902] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2=".") returned 1 [0275.902] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="..") returned 1 [0275.902] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="...") returned 1 [0275.902] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="windows") returned -1 [0275.902] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="$RECYCLE.BIN") returned 1 [0275.902] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="rsa") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="NTDETECT.COM") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="ntldr") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="MSDOS.SYS") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="IO.SYS") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="boot.ini") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="AUTOEXEC.BAT") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="ntuser.dat") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="desktop.ini") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="CONFIG.SYS") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="RECYCLER") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="BOOTSECT.BAK") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="bootmgr") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="programdata") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="appdata") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="program files") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="program files (x86)") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="microsoft") returned -1 [0275.903] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="sophos") returned -1 [0275.903] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0275.903] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0275.903] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0275.903] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de390 [0275.903] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de408 [0275.903] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0275.905] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.905] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.905] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.905] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.905] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x70ca10d9, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0x0, dwReserved1=0x0, cFileName="17dfc292991c7c46.timestamp", cAlternateFileName="17DFC2~1.TIM")) returned 1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2=".") returned 1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="..") returned 1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="...") returned 1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="windows") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="$RECYCLE.BIN") returned 1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="rsa") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="NTDETECT.COM") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="ntldr") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="MSDOS.SYS") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="IO.SYS") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="boot.ini") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="AUTOEXEC.BAT") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="ntuser.dat") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="desktop.ini") returned -1 [0275.905] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="CONFIG.SYS") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="RECYCLER") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="BOOTSECT.BAK") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="bootmgr") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="programdata") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="appdata") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="program files") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="program files (x86)") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="microsoft") returned -1 [0275.906] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="sophos") returned -1 [0275.906] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de480 [0275.906] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0275.906] PathFindExtensionW (pszPath="17dfc292991c7c46.timestamp") returned=".timestamp" [0275.906] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".exe") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".log") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".cab") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".cmd") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".com") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".cpl") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".ini") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".dll") returned 1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".url") returned -1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".ttf") returned -1 [0275.906] lstrcmpiW (lpString1=".timestamp", lpString2=".mp3") returned 1 [0275.907] lstrcmpiW (lpString1=".timestamp", lpString2=".pif") returned 1 [0275.907] lstrcmpiW (lpString1=".timestamp", lpString2=".mp4") returned 1 [0275.907] lstrcmpiW (lpString1=".timestamp", lpString2=".NEFILIM") returned 1 [0275.907] lstrcmpiW (lpString1=".timestamp", lpString2=".msi") returned 1 [0275.907] lstrcmpiW (lpString1=".timestamp", lpString2=".lnk") returned 1 [0275.907] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0275.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de528 [0275.907] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0275.908] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=51) returned 1 [0275.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0275.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0275.908] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0275.908] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0275.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0275.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0275.908] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0275.910] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0275.912] GetTickCount () returned 0x1185244 [0275.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de408 [0275.912] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0275.912] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.912] SetLastError (dwErrCode=0x0) [0275.912] WriteFile (in: hFile=0x274, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0275.914] GetLastError () returned 0x0 [0275.914] GetLastError () returned 0x0 [0275.914] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x133, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.914] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0275.914] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x233, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.914] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xcac6a788, dwHighDateTime=0x1d5fd73)) [0275.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de408 [0275.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0275.914] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0275.914] GetProcessHeap () returned 0xa10000 [0275.914] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x33) returned 0xa2f9a0 [0275.915] GetSystemDefaultLangID () returned 0xa20409 [0275.915] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.915] ReadFile (in: hFile=0x274, lpBuffer=0xa2f9a0, nNumberOfBytesToRead=0x33, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa2f9a0*, lpNumberOfBytesRead=0x26ee62c*=0x33, lpOverlapped=0x0) returned 1 [0275.915] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.915] WriteFile (in: hFile=0x274, lpBuffer=0xa2f9a0*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa2f9a0*, lpNumberOfBytesWritten=0x26ee620*=0x33, lpOverlapped=0x0) returned 1 [0275.915] GetProcessHeap () returned 0xa10000 [0275.915] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa2f9a0 | out: hHeap=0xa10000) returned 1 [0275.915] CloseHandle (hObject=0x274) returned 1 [0275.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0275.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0275.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0275.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0275.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de5d0 [0275.919] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp"), lpNewFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp.NEFILIM" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp.nefilim")) returned 1 [0275.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de5d0 | out: hHeap=0x28d0000) returned 1 [0275.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de528 | out: hHeap=0x28d0000) returned 1 [0275.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0275.922] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x70ca10d9, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0x0, dwReserved1=0x0, cFileName="17dfc292991c7c46.timestamp", cAlternateFileName="17DFC2~1.TIM")) returned 0 [0275.922] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0275.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de480 | out: hHeap=0x28d0000) returned 1 [0275.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0275.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0275.922] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 1 [0275.922] lstrcmpiW (lpString1="installcache_x64", lpString2=".") returned 1 [0275.922] lstrcmpiW (lpString1="installcache_x64", lpString2="..") returned 1 [0275.922] lstrcmpiW (lpString1="installcache_x64", lpString2="...") returned 1 [0275.922] lstrcmpiW (lpString1="installcache_x64", lpString2="windows") returned -1 [0275.922] lstrcmpiW (lpString1="installcache_x64", lpString2="$RECYCLE.BIN") returned 1 [0275.922] lstrcmpiW (lpString1="installcache_x64", lpString2="rsa") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="NTDETECT.COM") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="ntldr") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="MSDOS.SYS") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="IO.SYS") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="boot.ini") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="AUTOEXEC.BAT") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="ntuser.dat") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="desktop.ini") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="CONFIG.SYS") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="RECYCLER") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="BOOTSECT.BAK") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="bootmgr") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="programdata") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="appdata") returned 1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="program files") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="program files (x86)") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="microsoft") returned -1 [0275.923] lstrcmpiW (lpString1="installcache_x64", lpString2="sophos") returned -1 [0275.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe70 [0275.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x8e) returned 0x28de390 [0275.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0275.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0275.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0275.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0275.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de428 [0275.924] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0275.925] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0275.925] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0275.925] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0275.925] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0275.925] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa315c98a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4eba475, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="baseimagefam8", cAlternateFileName="BASEIM~1")) returned 1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2=".") returned 1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="..") returned 1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="...") returned 1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="windows") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="$RECYCLE.BIN") returned 1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="rsa") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="NTDETECT.COM") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="ntldr") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="MSDOS.SYS") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="IO.SYS") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="boot.ini") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="AUTOEXEC.BAT") returned 1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="ntuser.dat") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="desktop.ini") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="CONFIG.SYS") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="RECYCLER") returned -1 [0275.925] lstrcmpiW (lpString1="baseimagefam8", lpString2="BOOTSECT.BAK") returned -1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="bootmgr") returned -1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="programdata") returned -1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="appdata") returned 1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="program files") returned -1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="program files (x86)") returned -1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="microsoft") returned -1 [0275.926] lstrcmpiW (lpString1="baseimagefam8", lpString2="sophos") returned -1 [0275.926] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de4a0 [0275.926] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0275.926] PathFindExtensionW (pszPath="baseimagefam8") returned="" [0275.926] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".NEFILIM") returned -1 [0275.926] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0275.927] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0275.927] lstrcmpiW (lpString1="baseimagefam8", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0275.927] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de528 [0275.927] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\baseimagefam8"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0275.928] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=82551925) returned 1 [0275.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0275.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0275.928] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0275.928] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0275.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0275.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0275.928] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0275.928] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0275.930] GetTickCount () returned 0x1185254 [0275.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de428 [0275.930] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0275.930] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4eba475, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.930] SetLastError (dwErrCode=0x0) [0275.930] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0275.934] GetLastError () returned 0x0 [0275.934] GetLastError () returned 0x0 [0275.934] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4eba575, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.934] WriteFile (in: hFile=0x274, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0275.934] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4eba675, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.934] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xcac90936, dwHighDateTime=0x1d5fd73)) [0275.934] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de428 [0275.934] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0275.934] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0275.935] GetProcessHeap () returned 0xa10000 [0275.935] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0275.936] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0275.988] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.001] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.078] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.079] GetProcessHeap () returned 0xa10000 [0276.222] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.223] GetProcessHeap () returned 0xa10000 [0276.223] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.223] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.223] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.232] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.232] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.233] GetProcessHeap () returned 0xa10000 [0276.233] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.233] GetProcessHeap () returned 0xa10000 [0276.233] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.233] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.233] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.245] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.245] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.245] GetProcessHeap () returned 0xa10000 [0276.245] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.247] GetProcessHeap () returned 0xa10000 [0276.247] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.248] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.248] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.260] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.260] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.261] GetProcessHeap () returned 0xa10000 [0276.261] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.261] GetProcessHeap () returned 0xa10000 [0276.261] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.261] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.261] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.280] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.280] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.281] GetProcessHeap () returned 0xa10000 [0276.281] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.282] GetProcessHeap () returned 0xa10000 [0276.282] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.282] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.282] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.292] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.292] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.292] GetProcessHeap () returned 0xa10000 [0276.292] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.294] GetProcessHeap () returned 0xa10000 [0276.294] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.295] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.295] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.308] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.308] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.309] GetProcessHeap () returned 0xa10000 [0276.309] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.309] GetProcessHeap () returned 0xa10000 [0276.309] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.309] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.309] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.320] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.320] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.320] GetProcessHeap () returned 0xa10000 [0276.320] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.320] GetProcessHeap () returned 0xa10000 [0276.321] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.321] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.321] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.339] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.339] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.341] GetProcessHeap () returned 0xa10000 [0276.341] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.342] GetProcessHeap () returned 0xa10000 [0276.342] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.344] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.344] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.355] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.355] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.356] GetProcessHeap () returned 0xa10000 [0276.356] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.356] GetProcessHeap () returned 0xa10000 [0276.356] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.356] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.366] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.366] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.367] GetProcessHeap () returned 0xa10000 [0276.367] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.367] GetProcessHeap () returned 0xa10000 [0276.367] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.367] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.367] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.376] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.376] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.377] GetProcessHeap () returned 0xa10000 [0276.377] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.379] GetProcessHeap () returned 0xa10000 [0276.379] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.380] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.380] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.392] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.392] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.392] GetProcessHeap () returned 0xa10000 [0276.392] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.392] GetProcessHeap () returned 0xa10000 [0276.392] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.393] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.393] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.412] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.412] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.412] GetProcessHeap () returned 0xa10000 [0276.412] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.412] GetProcessHeap () returned 0xa10000 [0276.412] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.413] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.413] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.422] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.422] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.422] GetProcessHeap () returned 0xa10000 [0276.422] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.424] GetProcessHeap () returned 0xa10000 [0276.425] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.426] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.426] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.437] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.437] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.438] GetProcessHeap () returned 0xa10000 [0276.438] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.438] GetProcessHeap () returned 0xa10000 [0276.438] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.438] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.438] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.448] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.448] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.449] GetProcessHeap () returned 0xa10000 [0276.449] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.449] GetProcessHeap () returned 0xa10000 [0276.449] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.449] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.449] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.467] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.467] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.467] GetProcessHeap () returned 0xa10000 [0276.468] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.469] GetProcessHeap () returned 0xa10000 [0276.469] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.470] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.470] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.482] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.482] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.483] GetProcessHeap () returned 0xa10000 [0276.483] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.483] GetProcessHeap () returned 0xa10000 [0276.483] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.483] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.483] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.493] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.493] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.494] GetProcessHeap () returned 0xa10000 [0276.494] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.494] GetProcessHeap () returned 0xa10000 [0276.494] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.494] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.494] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.504] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.504] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.505] GetProcessHeap () returned 0xa10000 [0276.505] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.507] GetProcessHeap () returned 0xa10000 [0276.507] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.508] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.508] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.527] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.527] GetProcessHeap () returned 0xa10000 [0276.527] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.527] GetProcessHeap () returned 0xa10000 [0276.527] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.528] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.537] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.537] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.538] GetProcessHeap () returned 0xa10000 [0276.538] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.538] GetProcessHeap () returned 0xa10000 [0276.538] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.538] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.538] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.548] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.548] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.549] GetProcessHeap () returned 0xa10000 [0276.549] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.551] GetProcessHeap () returned 0xa10000 [0276.551] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.552] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.552] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.564] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.564] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.565] GetProcessHeap () returned 0xa10000 [0276.565] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.582] GetProcessHeap () returned 0xa10000 [0276.582] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.583] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.583] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.602] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.602] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.604] GetProcessHeap () returned 0xa10000 [0276.604] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.604] GetProcessHeap () returned 0xa10000 [0276.604] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.604] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.604] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.614] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.614] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.614] GetProcessHeap () returned 0xa10000 [0276.614] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.616] GetProcessHeap () returned 0xa10000 [0276.616] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.617] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.617] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.629] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.629] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.630] GetProcessHeap () returned 0xa10000 [0276.630] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.630] GetProcessHeap () returned 0xa10000 [0276.630] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.630] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.630] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.638] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.638] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.639] GetProcessHeap () returned 0xa10000 [0276.639] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.639] GetProcessHeap () returned 0xa10000 [0276.639] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.639] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.639] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.683] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.683] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.686] GetProcessHeap () returned 0xa10000 [0276.686] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.689] GetProcessHeap () returned 0xa10000 [0276.689] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.692] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.692] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.786] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.787] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.788] GetProcessHeap () returned 0xa10000 [0276.788] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.788] GetProcessHeap () returned 0xa10000 [0276.788] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.788] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.788] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.803] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.803] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.804] GetProcessHeap () returned 0xa10000 [0276.804] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.804] GetProcessHeap () returned 0xa10000 [0276.804] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.804] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.804] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.819] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.819] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.819] GetProcessHeap () returned 0xa10000 [0276.819] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.821] GetProcessHeap () returned 0xa10000 [0276.821] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.822] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.822] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.866] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.866] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.866] GetProcessHeap () returned 0xa10000 [0276.866] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.866] GetProcessHeap () returned 0xa10000 [0276.866] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.866] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.867] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.885] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.885] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.886] GetProcessHeap () returned 0xa10000 [0276.886] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.886] GetProcessHeap () returned 0xa10000 [0276.886] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.886] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.886] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.896] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.897] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.897] GetProcessHeap () returned 0xa10000 [0276.897] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.899] GetProcessHeap () returned 0xa10000 [0276.899] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.900] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.900] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.911] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.911] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.912] GetProcessHeap () returned 0xa10000 [0276.912] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.912] GetProcessHeap () returned 0xa10000 [0276.912] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.912] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.912] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.923] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.923] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.923] GetProcessHeap () returned 0xa10000 [0276.924] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.924] GetProcessHeap () returned 0xa10000 [0276.924] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.924] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.924] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.940] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.941] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.941] GetProcessHeap () returned 0xa10000 [0276.941] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.944] GetProcessHeap () returned 0xa10000 [0276.944] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.945] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.945] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.957] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.957] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.958] GetProcessHeap () returned 0xa10000 [0276.958] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.958] GetProcessHeap () returned 0xa10000 [0276.958] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.958] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.958] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.968] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.968] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.969] GetProcessHeap () returned 0xa10000 [0276.969] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.969] GetProcessHeap () returned 0xa10000 [0276.969] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.969] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.969] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0276.979] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.979] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0276.979] GetProcessHeap () returned 0xa10000 [0276.980] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0276.981] GetProcessHeap () returned 0xa10000 [0276.981] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0276.982] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0276.982] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.003] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.003] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.003] GetProcessHeap () returned 0xa10000 [0277.003] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.003] GetProcessHeap () returned 0xa10000 [0277.003] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.004] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.004] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.014] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.014] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.014] GetProcessHeap () returned 0xa10000 [0277.014] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.014] GetProcessHeap () returned 0xa10000 [0277.015] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.015] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.015] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.024] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.024] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.025] GetProcessHeap () returned 0xa10000 [0277.025] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.027] GetProcessHeap () returned 0xa10000 [0277.027] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.028] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.028] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.039] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.040] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.040] GetProcessHeap () returned 0xa10000 [0277.040] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.041] GetProcessHeap () returned 0xa10000 [0277.041] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.041] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.041] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.058] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.058] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.060] GetProcessHeap () returned 0xa10000 [0277.060] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.060] GetProcessHeap () returned 0xa10000 [0277.060] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.060] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.060] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.070] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.070] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.071] GetProcessHeap () returned 0xa10000 [0277.071] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.072] GetProcessHeap () returned 0xa10000 [0277.072] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.074] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.074] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.085] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.085] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.086] GetProcessHeap () returned 0xa10000 [0277.086] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.086] GetProcessHeap () returned 0xa10000 [0277.086] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.086] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.086] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.097] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.097] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.098] GetProcessHeap () returned 0xa10000 [0277.098] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.098] GetProcessHeap () returned 0xa10000 [0277.098] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.098] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.098] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.118] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.118] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.119] GetProcessHeap () returned 0xa10000 [0277.119] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.121] GetProcessHeap () returned 0xa10000 [0277.121] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.178] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.178] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.190] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.190] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.190] GetProcessHeap () returned 0xa10000 [0277.190] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.190] GetProcessHeap () returned 0xa10000 [0277.190] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.191] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.191] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.200] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.200] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.201] GetProcessHeap () returned 0xa10000 [0277.201] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.201] GetProcessHeap () returned 0xa10000 [0277.201] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.201] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.201] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.209] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.209] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.209] GetProcessHeap () returned 0xa10000 [0277.209] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.211] GetProcessHeap () returned 0xa10000 [0277.211] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.211] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.212] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.223] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.223] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.223] GetProcessHeap () returned 0xa10000 [0277.223] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.223] GetProcessHeap () returned 0xa10000 [0277.224] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.224] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.224] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.250] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.250] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.251] GetProcessHeap () returned 0xa10000 [0277.251] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.251] GetProcessHeap () returned 0xa10000 [0277.251] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.251] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.252] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.265] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.265] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.265] GetProcessHeap () returned 0xa10000 [0277.265] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.267] GetProcessHeap () returned 0xa10000 [0277.267] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.268] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.268] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.277] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.277] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.278] GetProcessHeap () returned 0xa10000 [0277.278] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.279] GetProcessHeap () returned 0xa10000 [0277.279] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.279] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.279] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.287] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.287] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.288] GetProcessHeap () returned 0xa10000 [0277.288] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.288] GetProcessHeap () returned 0xa10000 [0277.288] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.288] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.288] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.304] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.304] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.304] GetProcessHeap () returned 0xa10000 [0277.304] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.306] GetProcessHeap () returned 0xa10000 [0277.306] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.306] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.307] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.316] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.316] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.316] GetProcessHeap () returned 0xa10000 [0277.316] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.316] GetProcessHeap () returned 0xa10000 [0277.316] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.316] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.317] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.325] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.325] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.326] GetProcessHeap () returned 0xa10000 [0277.326] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.326] GetProcessHeap () returned 0xa10000 [0277.326] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.326] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.326] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.334] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.334] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.335] GetProcessHeap () returned 0xa10000 [0277.335] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.336] GetProcessHeap () returned 0xa10000 [0277.336] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.338] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.338] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.357] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.357] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.358] GetProcessHeap () returned 0xa10000 [0277.358] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.358] GetProcessHeap () returned 0xa10000 [0277.359] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.359] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.359] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.367] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.367] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.368] GetProcessHeap () returned 0xa10000 [0277.368] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.368] GetProcessHeap () returned 0xa10000 [0277.368] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.368] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.368] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.377] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.377] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.378] GetProcessHeap () returned 0xa10000 [0277.378] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.379] GetProcessHeap () returned 0xa10000 [0277.379] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.380] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.380] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.391] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.391] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.392] GetProcessHeap () returned 0xa10000 [0277.392] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.392] GetProcessHeap () returned 0xa10000 [0277.392] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.392] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.392] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.407] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.407] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.409] GetProcessHeap () returned 0xa10000 [0277.409] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.409] GetProcessHeap () returned 0xa10000 [0277.409] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.409] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.409] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.416] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.416] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.417] GetProcessHeap () returned 0xa10000 [0277.417] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.418] GetProcessHeap () returned 0xa10000 [0277.418] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.419] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.419] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.429] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.429] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.429] GetProcessHeap () returned 0xa10000 [0277.429] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.429] GetProcessHeap () returned 0xa10000 [0277.430] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.430] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.430] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.438] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.438] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.439] GetProcessHeap () returned 0xa10000 [0277.439] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.439] GetProcessHeap () returned 0xa10000 [0277.439] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.439] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.439] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.454] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.454] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.456] GetProcessHeap () returned 0xa10000 [0277.456] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.457] GetProcessHeap () returned 0xa10000 [0277.457] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.458] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.458] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.470] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.470] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.471] GetProcessHeap () returned 0xa10000 [0277.471] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.471] GetProcessHeap () returned 0xa10000 [0277.471] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.471] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.471] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.491] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.491] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.492] GetProcessHeap () returned 0xa10000 [0277.492] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.492] GetProcessHeap () returned 0xa10000 [0277.492] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.492] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.492] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.531] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.531] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.531] GetProcessHeap () returned 0xa10000 [0277.531] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.533] GetProcessHeap () returned 0xa10000 [0277.533] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.534] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.534] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.600] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.600] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.602] GetProcessHeap () returned 0xa10000 [0277.602] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.602] GetProcessHeap () returned 0xa10000 [0277.602] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.602] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.602] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.615] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.615] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.616] GetProcessHeap () returned 0xa10000 [0277.616] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.616] GetProcessHeap () returned 0xa10000 [0277.616] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.616] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.616] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.861] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.862] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.862] GetProcessHeap () returned 0xa10000 [0277.862] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.863] GetProcessHeap () returned 0xa10000 [0277.863] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.864] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.864] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.907] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.907] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.908] GetProcessHeap () returned 0xa10000 [0277.908] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.908] GetProcessHeap () returned 0xa10000 [0277.908] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.908] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.908] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.918] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.918] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.919] GetProcessHeap () returned 0xa10000 [0277.920] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.920] GetProcessHeap () returned 0xa10000 [0277.920] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.920] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.920] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.939] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.940] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.940] GetProcessHeap () returned 0xa10000 [0277.940] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.942] GetProcessHeap () returned 0xa10000 [0277.942] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.944] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.944] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.955] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.955] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.956] GetProcessHeap () returned 0xa10000 [0277.956] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.956] GetProcessHeap () returned 0xa10000 [0277.956] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.956] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.956] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.983] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.983] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.984] GetProcessHeap () returned 0xa10000 [0277.984] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.984] GetProcessHeap () returned 0xa10000 [0277.984] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.984] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.984] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0277.994] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.994] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0277.995] GetProcessHeap () returned 0xa10000 [0277.995] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0277.996] GetProcessHeap () returned 0xa10000 [0277.996] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0277.998] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0277.998] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.019] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.019] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.020] GetProcessHeap () returned 0xa10000 [0278.020] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.020] GetProcessHeap () returned 0xa10000 [0278.020] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.020] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.020] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.030] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.030] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.031] GetProcessHeap () returned 0xa10000 [0278.031] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.031] GetProcessHeap () returned 0xa10000 [0278.031] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.031] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.031] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.041] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.041] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.042] GetProcessHeap () returned 0xa10000 [0278.042] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.044] GetProcessHeap () returned 0xa10000 [0278.044] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.046] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.046] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.058] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.058] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.059] GetProcessHeap () returned 0xa10000 [0278.059] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.059] GetProcessHeap () returned 0xa10000 [0278.059] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.059] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.059] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.102] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.102] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.103] GetProcessHeap () returned 0xa10000 [0278.103] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.103] GetProcessHeap () returned 0xa10000 [0278.103] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.103] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.103] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.112] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.112] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.112] GetProcessHeap () returned 0xa10000 [0278.112] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.114] GetProcessHeap () returned 0xa10000 [0278.114] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.115] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.115] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.176] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.176] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.177] GetProcessHeap () returned 0xa10000 [0278.177] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.177] GetProcessHeap () returned 0xa10000 [0278.177] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.177] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.177] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.187] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.188] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.188] GetProcessHeap () returned 0xa10000 [0278.188] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.188] GetProcessHeap () returned 0xa10000 [0278.188] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.188] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.188] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.207] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.207] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.208] GetProcessHeap () returned 0xa10000 [0278.208] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.210] GetProcessHeap () returned 0xa10000 [0278.210] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.211] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.211] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.221] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.221] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.222] GetProcessHeap () returned 0xa10000 [0278.222] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.222] GetProcessHeap () returned 0xa10000 [0278.222] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.222] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.222] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.230] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.230] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.230] GetProcessHeap () returned 0xa10000 [0278.230] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.230] GetProcessHeap () returned 0xa10000 [0278.230] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.230] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.230] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.238] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.238] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.238] GetProcessHeap () returned 0xa10000 [0278.238] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.240] GetProcessHeap () returned 0xa10000 [0278.240] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.241] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.257] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.257] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.258] GetProcessHeap () returned 0xa10000 [0278.258] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.258] GetProcessHeap () returned 0xa10000 [0278.258] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.258] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.258] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.266] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.266] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.267] GetProcessHeap () returned 0xa10000 [0278.267] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.267] GetProcessHeap () returned 0xa10000 [0278.267] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.267] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.267] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.276] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.276] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.276] GetProcessHeap () returned 0xa10000 [0278.276] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.278] GetProcessHeap () returned 0xa10000 [0278.278] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.279] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.279] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.288] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.288] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.288] GetProcessHeap () returned 0xa10000 [0278.288] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.288] GetProcessHeap () returned 0xa10000 [0278.288] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.288] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.288] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.297] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.298] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.298] GetProcessHeap () returned 0xa10000 [0278.298] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.298] GetProcessHeap () returned 0xa10000 [0278.298] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.298] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.298] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.313] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.313] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.314] GetProcessHeap () returned 0xa10000 [0278.314] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.315] GetProcessHeap () returned 0xa10000 [0278.315] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.316] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.316] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.326] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.326] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.327] GetProcessHeap () returned 0xa10000 [0278.327] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.327] GetProcessHeap () returned 0xa10000 [0278.327] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.327] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.327] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.337] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.337] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.337] GetProcessHeap () returned 0xa10000 [0278.337] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.337] GetProcessHeap () returned 0xa10000 [0278.338] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.338] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.338] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.346] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.346] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.346] GetProcessHeap () returned 0xa10000 [0278.346] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.348] GetProcessHeap () returned 0xa10000 [0278.348] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.349] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.349] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.367] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.367] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.368] GetProcessHeap () returned 0xa10000 [0278.368] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.368] GetProcessHeap () returned 0xa10000 [0278.368] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.368] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.368] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.378] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.378] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.378] GetProcessHeap () returned 0xa10000 [0278.379] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.379] GetProcessHeap () returned 0xa10000 [0278.379] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.379] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.379] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.389] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.389] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.390] GetProcessHeap () returned 0xa10000 [0278.390] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.391] GetProcessHeap () returned 0xa10000 [0278.391] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.392] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.393] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.404] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.404] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.405] GetProcessHeap () returned 0xa10000 [0278.405] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.405] GetProcessHeap () returned 0xa10000 [0278.405] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.405] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.405] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.422] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.422] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.423] GetProcessHeap () returned 0xa10000 [0278.423] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.423] GetProcessHeap () returned 0xa10000 [0278.424] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.424] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.424] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.433] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.433] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.434] GetProcessHeap () returned 0xa10000 [0278.434] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.436] GetProcessHeap () returned 0xa10000 [0278.436] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.437] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.437] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.446] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.446] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.446] GetProcessHeap () returned 0xa10000 [0278.447] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.447] GetProcessHeap () returned 0xa10000 [0278.447] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.447] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.447] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.457] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.457] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.458] GetProcessHeap () returned 0xa10000 [0278.458] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.458] GetProcessHeap () returned 0xa10000 [0278.458] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.458] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.458] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.472] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.473] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.474] GetProcessHeap () returned 0xa10000 [0278.474] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.476] GetProcessHeap () returned 0xa10000 [0278.476] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.477] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.477] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.487] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.487] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.487] GetProcessHeap () returned 0xa10000 [0278.487] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.487] GetProcessHeap () returned 0xa10000 [0278.487] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.487] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.487] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.495] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.495] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.496] GetProcessHeap () returned 0xa10000 [0278.496] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.496] GetProcessHeap () returned 0xa10000 [0278.496] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.496] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.496] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.504] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.504] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.505] GetProcessHeap () returned 0xa10000 [0278.505] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.506] GetProcessHeap () returned 0xa10000 [0278.506] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.507] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.508] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.525] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.525] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.527] GetProcessHeap () returned 0xa10000 [0278.527] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.527] GetProcessHeap () returned 0xa10000 [0278.527] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.527] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.534] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.535] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.535] GetProcessHeap () returned 0xa10000 [0278.535] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.535] GetProcessHeap () returned 0xa10000 [0278.536] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.536] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.536] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.545] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.545] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.545] GetProcessHeap () returned 0xa10000 [0278.545] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.547] GetProcessHeap () returned 0xa10000 [0278.547] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.548] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.548] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.559] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.559] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.559] GetProcessHeap () returned 0xa10000 [0278.560] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.560] GetProcessHeap () returned 0xa10000 [0278.560] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.560] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.560] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.569] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.569] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.569] GetProcessHeap () returned 0xa10000 [0278.569] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.570] GetProcessHeap () returned 0xa10000 [0278.570] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.570] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.570] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.636] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.636] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.637] GetProcessHeap () returned 0xa10000 [0278.637] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.638] GetProcessHeap () returned 0xa10000 [0278.638] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.639] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.639] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.646] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.646] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.647] GetProcessHeap () returned 0xa10000 [0278.647] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.647] GetProcessHeap () returned 0xa10000 [0278.647] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.647] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.647] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.655] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.655] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.655] GetProcessHeap () returned 0xa10000 [0278.656] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.656] GetProcessHeap () returned 0xa10000 [0278.656] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.656] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.656] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.664] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.664] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.665] GetProcessHeap () returned 0xa10000 [0278.665] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.667] GetProcessHeap () returned 0xa10000 [0278.667] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.668] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.668] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.705] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.705] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.706] GetProcessHeap () returned 0xa10000 [0278.706] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.706] GetProcessHeap () returned 0xa10000 [0278.706] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.706] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.706] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.713] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.713] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.714] GetProcessHeap () returned 0xa10000 [0278.714] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.714] GetProcessHeap () returned 0xa10000 [0278.714] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.714] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.714] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.723] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.723] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.724] GetProcessHeap () returned 0xa10000 [0278.724] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.725] GetProcessHeap () returned 0xa10000 [0278.725] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.726] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.726] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.736] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.737] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.737] GetProcessHeap () returned 0xa10000 [0278.737] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.737] GetProcessHeap () returned 0xa10000 [0278.737] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.737] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.737] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.751] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.752] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.753] GetProcessHeap () returned 0xa10000 [0278.753] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.753] GetProcessHeap () returned 0xa10000 [0278.753] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.753] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.753] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.762] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.762] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.763] GetProcessHeap () returned 0xa10000 [0278.763] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.765] GetProcessHeap () returned 0xa10000 [0278.765] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.766] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.766] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.777] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.777] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.777] GetProcessHeap () returned 0xa10000 [0278.777] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.777] GetProcessHeap () returned 0xa10000 [0278.777] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.777] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.778] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.800] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.800] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.801] GetProcessHeap () returned 0xa10000 [0278.801] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.801] GetProcessHeap () returned 0xa10000 [0278.801] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.801] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.801] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.817] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.817] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.818] GetProcessHeap () returned 0xa10000 [0278.818] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.820] GetProcessHeap () returned 0xa10000 [0278.820] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.821] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.821] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.832] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.832] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.833] GetProcessHeap () returned 0xa10000 [0278.833] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.833] GetProcessHeap () returned 0xa10000 [0278.833] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.833] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.833] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.842] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.842] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.843] GetProcessHeap () returned 0xa10000 [0278.843] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.843] GetProcessHeap () returned 0xa10000 [0278.843] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.843] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.843] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.851] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.851] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.852] GetProcessHeap () returned 0xa10000 [0278.852] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.854] GetProcessHeap () returned 0xa10000 [0278.854] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.855] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.855] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.873] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.873] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.874] GetProcessHeap () returned 0xa10000 [0278.874] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.874] GetProcessHeap () returned 0xa10000 [0278.874] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.875] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.875] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.882] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.882] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.883] GetProcessHeap () returned 0xa10000 [0278.883] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.883] GetProcessHeap () returned 0xa10000 [0278.883] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.883] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.883] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.892] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.892] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.892] GetProcessHeap () returned 0xa10000 [0278.892] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.894] GetProcessHeap () returned 0xa10000 [0278.894] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.895] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.895] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.907] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.907] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.908] GetProcessHeap () returned 0xa10000 [0278.908] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.908] GetProcessHeap () returned 0xa10000 [0278.908] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.908] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.908] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.916] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.916] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.917] GetProcessHeap () returned 0xa10000 [0278.917] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.918] GetProcessHeap () returned 0xa10000 [0278.918] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.919] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.919] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.938] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.938] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.938] GetProcessHeap () returned 0xa10000 [0278.938] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.939] GetProcessHeap () returned 0xa10000 [0278.939] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.939] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.939] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.949] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.949] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.950] GetProcessHeap () returned 0xa10000 [0278.950] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.950] GetProcessHeap () returned 0xa10000 [0278.950] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.950] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.951] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.959] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.959] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.959] GetProcessHeap () returned 0xa10000 [0278.959] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.961] GetProcessHeap () returned 0xa10000 [0278.961] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.962] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.962] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.973] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.973] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.973] GetProcessHeap () returned 0xa10000 [0278.973] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.973] GetProcessHeap () returned 0xa10000 [0278.973] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.973] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.974] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0278.991] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.991] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0278.992] GetProcessHeap () returned 0xa10000 [0278.992] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0278.992] GetProcessHeap () returned 0xa10000 [0278.992] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0278.992] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0278.992] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.002] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.002] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.003] GetProcessHeap () returned 0xa10000 [0279.003] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.004] GetProcessHeap () returned 0xa10000 [0279.004] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.006] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.006] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.017] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.017] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.018] GetProcessHeap () returned 0xa10000 [0279.018] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.018] GetProcessHeap () returned 0xa10000 [0279.018] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.018] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.018] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.027] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.028] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.028] GetProcessHeap () returned 0xa10000 [0279.029] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.029] GetProcessHeap () returned 0xa10000 [0279.029] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.029] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.029] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.042] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.042] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.043] GetProcessHeap () returned 0xa10000 [0279.043] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.044] GetProcessHeap () returned 0xa10000 [0279.044] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.045] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.045] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.054] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.054] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.055] GetProcessHeap () returned 0xa10000 [0279.055] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.055] GetProcessHeap () returned 0xa10000 [0279.055] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.055] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.055] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.065] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.065] GetProcessHeap () returned 0xa10000 [0279.065] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.065] GetProcessHeap () returned 0xa10000 [0279.065] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.065] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.065] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.074] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.074] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.074] GetProcessHeap () returned 0xa10000 [0279.074] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.076] GetProcessHeap () returned 0xa10000 [0279.076] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.078] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.078] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.095] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.095] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.096] GetProcessHeap () returned 0xa10000 [0279.096] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.096] GetProcessHeap () returned 0xa10000 [0279.096] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.096] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.096] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.106] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.106] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.107] GetProcessHeap () returned 0xa10000 [0279.107] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.107] GetProcessHeap () returned 0xa10000 [0279.107] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.107] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.107] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.115] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.115] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.116] GetProcessHeap () returned 0xa10000 [0279.116] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.117] GetProcessHeap () returned 0xa10000 [0279.117] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.118] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.118] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.159] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.159] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.160] GetProcessHeap () returned 0xa10000 [0279.160] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.160] GetProcessHeap () returned 0xa10000 [0279.160] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.160] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.160] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.174] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.175] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.176] GetProcessHeap () returned 0xa10000 [0279.176] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.176] GetProcessHeap () returned 0xa10000 [0279.176] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.176] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.176] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.183] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.183] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.184] GetProcessHeap () returned 0xa10000 [0279.184] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.185] GetProcessHeap () returned 0xa10000 [0279.185] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.186] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.186] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.197] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.197] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.198] GetProcessHeap () returned 0xa10000 [0279.198] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.198] GetProcessHeap () returned 0xa10000 [0279.198] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.198] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.198] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.210] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.210] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.210] GetProcessHeap () returned 0xa10000 [0279.211] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.211] GetProcessHeap () returned 0xa10000 [0279.211] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.211] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.211] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.219] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.219] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.219] GetProcessHeap () returned 0xa10000 [0279.219] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.220] GetProcessHeap () returned 0xa10000 [0279.220] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.221] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.221] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.238] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.238] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.238] GetProcessHeap () returned 0xa10000 [0279.238] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.238] GetProcessHeap () returned 0xa10000 [0279.238] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.238] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.239] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.246] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.246] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.247] GetProcessHeap () returned 0xa10000 [0279.247] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.247] GetProcessHeap () returned 0xa10000 [0279.247] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.247] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.247] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.254] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.254] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.255] GetProcessHeap () returned 0xa10000 [0279.255] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.256] GetProcessHeap () returned 0xa10000 [0279.256] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.257] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.257] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.267] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.267] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.268] GetProcessHeap () returned 0xa10000 [0279.268] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.268] GetProcessHeap () returned 0xa10000 [0279.268] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.268] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.268] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.283] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.283] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.284] GetProcessHeap () returned 0xa10000 [0279.284] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.284] GetProcessHeap () returned 0xa10000 [0279.284] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.284] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.284] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.292] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.292] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.293] GetProcessHeap () returned 0xa10000 [0279.293] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.294] GetProcessHeap () returned 0xa10000 [0279.294] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.295] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.295] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.305] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.305] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.306] GetProcessHeap () returned 0xa10000 [0279.306] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.306] GetProcessHeap () returned 0xa10000 [0279.306] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.306] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.306] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.313] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.313] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.314] GetProcessHeap () returned 0xa10000 [0279.314] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.314] GetProcessHeap () returned 0xa10000 [0279.314] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.314] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.314] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.328] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.328] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.329] GetProcessHeap () returned 0xa10000 [0279.329] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.330] GetProcessHeap () returned 0xa10000 [0279.330] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.331] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.331] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.340] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.340] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.341] GetProcessHeap () returned 0xa10000 [0279.341] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.341] GetProcessHeap () returned 0xa10000 [0279.341] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.341] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.341] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.350] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.350] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.350] GetProcessHeap () returned 0xa10000 [0279.350] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.350] GetProcessHeap () returned 0xa10000 [0279.350] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.350] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.350] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.359] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.359] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.359] GetProcessHeap () returned 0xa10000 [0279.359] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.361] GetProcessHeap () returned 0xa10000 [0279.361] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.362] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.362] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.378] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.378] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.379] GetProcessHeap () returned 0xa10000 [0279.379] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.379] GetProcessHeap () returned 0xa10000 [0279.379] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.379] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.379] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.387] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.387] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.435] GetProcessHeap () returned 0xa10000 [0279.435] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.435] GetProcessHeap () returned 0xa10000 [0279.435] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.435] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.435] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.443] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.443] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.443] GetProcessHeap () returned 0xa10000 [0279.444] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.445] GetProcessHeap () returned 0xa10000 [0279.445] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.446] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.446] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.455] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.455] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.456] GetProcessHeap () returned 0xa10000 [0279.456] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.456] GetProcessHeap () returned 0xa10000 [0279.456] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.456] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.456] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.471] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.471] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.472] GetProcessHeap () returned 0xa10000 [0279.472] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.472] GetProcessHeap () returned 0xa10000 [0279.472] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.472] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.472] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.481] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.481] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.482] GetProcessHeap () returned 0xa10000 [0279.482] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.483] GetProcessHeap () returned 0xa10000 [0279.483] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.484] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.484] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.492] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.493] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.493] GetProcessHeap () returned 0xa10000 [0279.493] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.493] GetProcessHeap () returned 0xa10000 [0279.493] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.493] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.493] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.501] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.501] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.501] GetProcessHeap () returned 0xa10000 [0279.501] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.501] GetProcessHeap () returned 0xa10000 [0279.501] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.501] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.501] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.509] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.509] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.509] GetProcessHeap () returned 0xa10000 [0279.510] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.511] GetProcessHeap () returned 0xa10000 [0279.511] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.512] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.512] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.532] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.532] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.532] GetProcessHeap () returned 0xa10000 [0279.532] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.532] GetProcessHeap () returned 0xa10000 [0279.532] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.532] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.532] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.540] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.540] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.540] GetProcessHeap () returned 0xa10000 [0279.540] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.540] GetProcessHeap () returned 0xa10000 [0279.540] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.540] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.541] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.551] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.551] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.552] GetProcessHeap () returned 0xa10000 [0279.552] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.553] GetProcessHeap () returned 0xa10000 [0279.553] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.554] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.554] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.565] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.565] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.565] GetProcessHeap () returned 0xa10000 [0279.566] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.566] GetProcessHeap () returned 0xa10000 [0279.566] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.566] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.566] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.599] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.600] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.600] GetProcessHeap () returned 0xa10000 [0279.600] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.600] GetProcessHeap () returned 0xa10000 [0279.600] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.600] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.600] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.610] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.610] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.611] GetProcessHeap () returned 0xa10000 [0279.611] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.612] GetProcessHeap () returned 0xa10000 [0279.612] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.613] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.613] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.626] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.626] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.626] GetProcessHeap () returned 0xa10000 [0279.626] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.627] GetProcessHeap () returned 0xa10000 [0279.627] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.627] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.627] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.638] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.638] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.638] GetProcessHeap () returned 0xa10000 [0279.639] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.639] GetProcessHeap () returned 0xa10000 [0279.639] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.639] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.639] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.656] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.656] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.657] GetProcessHeap () returned 0xa10000 [0279.657] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.658] GetProcessHeap () returned 0xa10000 [0279.658] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.659] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.659] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.671] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.671] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.671] GetProcessHeap () returned 0xa10000 [0279.672] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.672] GetProcessHeap () returned 0xa10000 [0279.672] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.672] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.672] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.682] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.682] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.683] GetProcessHeap () returned 0xa10000 [0279.683] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.683] GetProcessHeap () returned 0xa10000 [0279.683] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.683] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.683] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.692] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.693] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.693] GetProcessHeap () returned 0xa10000 [0279.693] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.695] GetProcessHeap () returned 0xa10000 [0279.695] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.696] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.696] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.715] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.715] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.717] GetProcessHeap () returned 0xa10000 [0279.717] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.717] GetProcessHeap () returned 0xa10000 [0279.717] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.717] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.717] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.726] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.727] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.727] GetProcessHeap () returned 0xa10000 [0279.727] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.727] GetProcessHeap () returned 0xa10000 [0279.727] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.727] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.727] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.738] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.738] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.739] GetProcessHeap () returned 0xa10000 [0279.739] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.740] GetProcessHeap () returned 0xa10000 [0279.740] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.741] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.741] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.754] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.754] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.755] GetProcessHeap () returned 0xa10000 [0279.755] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.755] GetProcessHeap () returned 0xa10000 [0279.755] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.755] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.755] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.773] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.773] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.775] GetProcessHeap () returned 0xa10000 [0279.775] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.775] GetProcessHeap () returned 0xa10000 [0279.775] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.775] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.775] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.789] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.789] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.790] GetProcessHeap () returned 0xa10000 [0279.790] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.791] GetProcessHeap () returned 0xa10000 [0279.791] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.792] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.792] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.802] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.802] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.803] GetProcessHeap () returned 0xa10000 [0279.803] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.803] GetProcessHeap () returned 0xa10000 [0279.803] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.803] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.803] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.812] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.812] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.813] GetProcessHeap () returned 0xa10000 [0279.813] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.813] GetProcessHeap () returned 0xa10000 [0279.813] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.813] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.813] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.822] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.822] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.823] GetProcessHeap () returned 0xa10000 [0279.823] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.824] GetProcessHeap () returned 0xa10000 [0279.824] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.826] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.826] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.846] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.846] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.847] GetProcessHeap () returned 0xa10000 [0279.847] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.847] GetProcessHeap () returned 0xa10000 [0279.847] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.847] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.847] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.856] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.857] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.857] GetProcessHeap () returned 0xa10000 [0279.857] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.857] GetProcessHeap () returned 0xa10000 [0279.857] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.857] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.858] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.867] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.867] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.867] GetProcessHeap () returned 0xa10000 [0279.867] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.869] GetProcessHeap () returned 0xa10000 [0279.869] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.870] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.870] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.881] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.881] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.882] GetProcessHeap () returned 0xa10000 [0279.882] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.882] GetProcessHeap () returned 0xa10000 [0279.882] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.882] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.882] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.899] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.899] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.900] GetProcessHeap () returned 0xa10000 [0279.900] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.900] GetProcessHeap () returned 0xa10000 [0279.900] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.900] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.900] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.910] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.910] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.911] GetProcessHeap () returned 0xa10000 [0279.911] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.912] GetProcessHeap () returned 0xa10000 [0279.912] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.914] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.914] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.925] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.925] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.926] GetProcessHeap () returned 0xa10000 [0279.926] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.926] GetProcessHeap () returned 0xa10000 [0279.926] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.926] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.926] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.936] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.936] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.936] GetProcessHeap () returned 0xa10000 [0279.937] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.937] GetProcessHeap () returned 0xa10000 [0279.937] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.937] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.937] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.955] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.955] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.956] GetProcessHeap () returned 0xa10000 [0279.956] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.957] GetProcessHeap () returned 0xa10000 [0279.957] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.958] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.959] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0279.968] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.968] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0279.969] GetProcessHeap () returned 0xa10000 [0279.969] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0279.969] GetProcessHeap () returned 0xa10000 [0279.969] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0279.969] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0279.969] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.019] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.019] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.020] GetProcessHeap () returned 0xa10000 [0280.020] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.020] GetProcessHeap () returned 0xa10000 [0280.020] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.020] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.020] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.026] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.026] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.027] GetProcessHeap () returned 0xa10000 [0280.027] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.029] GetProcessHeap () returned 0xa10000 [0280.029] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.030] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.030] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.099] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.099] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.100] GetProcessHeap () returned 0xa10000 [0280.100] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.100] GetProcessHeap () returned 0xa10000 [0280.100] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.100] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.100] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.110] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.110] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.110] GetProcessHeap () returned 0xa10000 [0280.111] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.111] GetProcessHeap () returned 0xa10000 [0280.111] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.111] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.111] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.120] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.120] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.121] GetProcessHeap () returned 0xa10000 [0280.121] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.174] GetProcessHeap () returned 0xa10000 [0280.174] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.175] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.175] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.194] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.195] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.195] GetProcessHeap () returned 0xa10000 [0280.195] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.195] GetProcessHeap () returned 0xa10000 [0280.195] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.195] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.195] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.215] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.216] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.217] GetProcessHeap () returned 0xa10000 [0280.217] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.217] GetProcessHeap () returned 0xa10000 [0280.217] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.217] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.217] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.226] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.226] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.227] GetProcessHeap () returned 0xa10000 [0280.227] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.228] GetProcessHeap () returned 0xa10000 [0280.228] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.229] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.229] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.240] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.240] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.241] GetProcessHeap () returned 0xa10000 [0280.241] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.241] GetProcessHeap () returned 0xa10000 [0280.241] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.241] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.250] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.251] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.251] GetProcessHeap () returned 0xa10000 [0280.251] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.251] GetProcessHeap () returned 0xa10000 [0280.251] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.251] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.251] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.269] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.271] GetProcessHeap () returned 0xa10000 [0280.271] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.273] GetProcessHeap () returned 0xa10000 [0280.273] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.274] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.274] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.285] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.285] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.286] GetProcessHeap () returned 0xa10000 [0280.286] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.286] GetProcessHeap () returned 0xa10000 [0280.286] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.286] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.286] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.294] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.294] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.294] GetProcessHeap () returned 0xa10000 [0280.295] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.295] GetProcessHeap () returned 0xa10000 [0280.295] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.295] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.295] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.303] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.303] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.303] GetProcessHeap () returned 0xa10000 [0280.303] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.305] GetProcessHeap () returned 0xa10000 [0280.305] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.306] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.306] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.315] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.315] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.316] GetProcessHeap () returned 0xa10000 [0280.316] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.316] GetProcessHeap () returned 0xa10000 [0280.316] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.316] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.316] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.332] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.333] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.333] GetProcessHeap () returned 0xa10000 [0280.333] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.333] GetProcessHeap () returned 0xa10000 [0280.333] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.333] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.333] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.342] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.342] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.343] GetProcessHeap () returned 0xa10000 [0280.343] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.345] GetProcessHeap () returned 0xa10000 [0280.345] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.346] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.346] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.355] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.355] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.356] GetProcessHeap () returned 0xa10000 [0280.356] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.356] GetProcessHeap () returned 0xa10000 [0280.356] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.357] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.364] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.364] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.365] GetProcessHeap () returned 0xa10000 [0280.365] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.365] GetProcessHeap () returned 0xa10000 [0280.365] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.365] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.365] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.379] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.379] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.380] GetProcessHeap () returned 0xa10000 [0280.380] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.381] GetProcessHeap () returned 0xa10000 [0280.381] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.382] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.382] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.393] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.393] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.394] GetProcessHeap () returned 0xa10000 [0280.394] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.394] GetProcessHeap () returned 0xa10000 [0280.394] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.394] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.394] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.402] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.402] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.403] GetProcessHeap () returned 0xa10000 [0280.403] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.403] GetProcessHeap () returned 0xa10000 [0280.403] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.404] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.404] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.412] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.412] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.412] GetProcessHeap () returned 0xa10000 [0280.412] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.414] GetProcessHeap () returned 0xa10000 [0280.414] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.415] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.415] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.433] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.433] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.435] GetProcessHeap () returned 0xa10000 [0280.435] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.435] GetProcessHeap () returned 0xa10000 [0280.435] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.435] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.435] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.442] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.442] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.442] GetProcessHeap () returned 0xa10000 [0280.442] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.442] GetProcessHeap () returned 0xa10000 [0280.442] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.442] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.443] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.456] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.456] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.457] GetProcessHeap () returned 0xa10000 [0280.457] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.458] GetProcessHeap () returned 0xa10000 [0280.458] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.459] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.459] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.469] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.470] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.470] GetProcessHeap () returned 0xa10000 [0280.470] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.470] GetProcessHeap () returned 0xa10000 [0280.470] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.470] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.470] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.485] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.485] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.486] GetProcessHeap () returned 0xa10000 [0280.487] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.487] GetProcessHeap () returned 0xa10000 [0280.487] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.487] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.487] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.495] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.495] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.495] GetProcessHeap () returned 0xa10000 [0280.495] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.497] GetProcessHeap () returned 0xa10000 [0280.497] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.498] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.498] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.508] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.508] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.508] GetProcessHeap () returned 0xa10000 [0280.508] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.509] GetProcessHeap () returned 0xa10000 [0280.509] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.509] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.509] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.517] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.517] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.518] GetProcessHeap () returned 0xa10000 [0280.518] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.518] GetProcessHeap () returned 0xa10000 [0280.518] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.518] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.518] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.535] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.535] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.537] GetProcessHeap () returned 0xa10000 [0280.537] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.538] GetProcessHeap () returned 0xa10000 [0280.538] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.539] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.539] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.549] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.549] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.549] GetProcessHeap () returned 0xa10000 [0280.549] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.550] GetProcessHeap () returned 0xa10000 [0280.550] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.550] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.550] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.558] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.558] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.558] GetProcessHeap () returned 0xa10000 [0280.558] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.558] GetProcessHeap () returned 0xa10000 [0280.558] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.558] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.559] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.567] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.567] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.568] GetProcessHeap () returned 0xa10000 [0280.568] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.569] GetProcessHeap () returned 0xa10000 [0280.569] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.570] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.571] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.596] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.596] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.597] GetProcessHeap () returned 0xa10000 [0280.597] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.597] GetProcessHeap () returned 0xa10000 [0280.597] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.597] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.597] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.613] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.613] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.613] GetProcessHeap () returned 0xa10000 [0280.613] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.613] GetProcessHeap () returned 0xa10000 [0280.613] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.613] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.613] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.623] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.623] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.624] GetProcessHeap () returned 0xa10000 [0280.624] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.625] GetProcessHeap () returned 0xa10000 [0280.625] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.627] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.627] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.637] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.637] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.638] GetProcessHeap () returned 0xa10000 [0280.638] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.638] GetProcessHeap () returned 0xa10000 [0280.638] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.638] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.638] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.645] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.646] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.646] GetProcessHeap () returned 0xa10000 [0280.646] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.646] GetProcessHeap () returned 0xa10000 [0280.646] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.646] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.646] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.660] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.660] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.660] GetProcessHeap () returned 0xa10000 [0280.660] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.662] GetProcessHeap () returned 0xa10000 [0280.662] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.663] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.663] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.671] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.671] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.672] GetProcessHeap () returned 0xa10000 [0280.672] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.672] GetProcessHeap () returned 0xa10000 [0280.672] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.672] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.672] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.679] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.679] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.680] GetProcessHeap () returned 0xa10000 [0280.680] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.680] GetProcessHeap () returned 0xa10000 [0280.680] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.680] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.680] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.688] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.688] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.689] GetProcessHeap () returned 0xa10000 [0280.689] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.690] GetProcessHeap () returned 0xa10000 [0280.691] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.691] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.692] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.708] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.708] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.709] GetProcessHeap () returned 0xa10000 [0280.709] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.709] GetProcessHeap () returned 0xa10000 [0280.709] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.709] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.710] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.718] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.718] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.719] GetProcessHeap () returned 0xa10000 [0280.719] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.719] GetProcessHeap () returned 0xa10000 [0280.719] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.719] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.719] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.727] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.727] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.727] GetProcessHeap () returned 0xa10000 [0280.727] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.728] GetProcessHeap () returned 0xa10000 [0280.729] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.729] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.729] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.738] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.738] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.739] GetProcessHeap () returned 0xa10000 [0280.739] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.739] GetProcessHeap () returned 0xa10000 [0280.739] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.739] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.739] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.754] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.754] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.756] GetProcessHeap () returned 0xa10000 [0280.756] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.756] GetProcessHeap () returned 0xa10000 [0280.756] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.756] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.756] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.764] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.764] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.765] GetProcessHeap () returned 0xa10000 [0280.765] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.766] GetProcessHeap () returned 0xa10000 [0280.766] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.767] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.768] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.778] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.778] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.779] GetProcessHeap () returned 0xa10000 [0280.779] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.779] GetProcessHeap () returned 0xa10000 [0280.779] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.779] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.779] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.790] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.790] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.791] GetProcessHeap () returned 0xa10000 [0280.791] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.791] GetProcessHeap () returned 0xa10000 [0280.791] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.791] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.791] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.807] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.808] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.809] GetProcessHeap () returned 0xa10000 [0280.809] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.811] GetProcessHeap () returned 0xa10000 [0280.811] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.812] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.812] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.822] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.822] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.823] GetProcessHeap () returned 0xa10000 [0280.823] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.823] GetProcessHeap () returned 0xa10000 [0280.823] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.823] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.823] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.833] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.833] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.833] GetProcessHeap () returned 0xa10000 [0280.833] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.833] GetProcessHeap () returned 0xa10000 [0280.833] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.833] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.834] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.843] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.843] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.843] GetProcessHeap () returned 0xa10000 [0280.843] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.845] GetProcessHeap () returned 0xa10000 [0280.845] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.846] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.846] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.857] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.857] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.858] GetProcessHeap () returned 0xa10000 [0280.858] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.858] GetProcessHeap () returned 0xa10000 [0280.858] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.858] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.858] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.874] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.874] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.875] GetProcessHeap () returned 0xa10000 [0280.875] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.875] GetProcessHeap () returned 0xa10000 [0280.875] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.875] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.875] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.884] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.885] GetProcessHeap () returned 0xa10000 [0280.885] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.887] GetProcessHeap () returned 0xa10000 [0280.887] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.888] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.888] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.899] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.899] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.900] GetProcessHeap () returned 0xa10000 [0280.900] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.900] GetProcessHeap () returned 0xa10000 [0280.900] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.900] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.900] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.938] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.938] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.938] GetProcessHeap () returned 0xa10000 [0280.938] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.938] GetProcessHeap () returned 0xa10000 [0280.939] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.939] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.939] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.956] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.956] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.957] GetProcessHeap () returned 0xa10000 [0280.957] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.958] GetProcessHeap () returned 0xa10000 [0280.958] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.960] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.960] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.972] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.972] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.972] GetProcessHeap () returned 0xa10000 [0280.972] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.972] GetProcessHeap () returned 0xa10000 [0280.972] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.973] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.973] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.984] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.984] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.985] GetProcessHeap () returned 0xa10000 [0280.985] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.985] GetProcessHeap () returned 0xa10000 [0280.985] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.985] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.985] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0280.994] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.994] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0280.995] GetProcessHeap () returned 0xa10000 [0280.995] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0280.997] GetProcessHeap () returned 0xa10000 [0280.997] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0280.998] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0280.998] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.017] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.017] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.018] GetProcessHeap () returned 0xa10000 [0281.018] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.018] GetProcessHeap () returned 0xa10000 [0281.018] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.018] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.019] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.028] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.028] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.029] GetProcessHeap () returned 0xa10000 [0281.029] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.029] GetProcessHeap () returned 0xa10000 [0281.029] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.029] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.029] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.039] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.039] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.039] GetProcessHeap () returned 0xa10000 [0281.039] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.041] GetProcessHeap () returned 0xa10000 [0281.041] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.042] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.042] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.054] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.054] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.055] GetProcessHeap () returned 0xa10000 [0281.055] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.055] GetProcessHeap () returned 0xa10000 [0281.055] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.055] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.055] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.073] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.073] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.075] GetProcessHeap () returned 0xa10000 [0281.075] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.075] GetProcessHeap () returned 0xa10000 [0281.075] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.075] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.075] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.084] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.084] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.085] GetProcessHeap () returned 0xa10000 [0281.085] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.086] GetProcessHeap () returned 0xa10000 [0281.086] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.087] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.088] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.099] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.099] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.099] GetProcessHeap () returned 0xa10000 [0281.100] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.100] GetProcessHeap () returned 0xa10000 [0281.100] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.100] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.100] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.109] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.109] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.110] GetProcessHeap () returned 0xa10000 [0281.110] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.110] GetProcessHeap () returned 0xa10000 [0281.110] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.110] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.110] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.128] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.128] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.130] GetProcessHeap () returned 0xa10000 [0281.130] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.131] GetProcessHeap () returned 0xa10000 [0281.131] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.132] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.133] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.184] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.184] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.185] GetProcessHeap () returned 0xa10000 [0281.185] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.185] GetProcessHeap () returned 0xa10000 [0281.185] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.185] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.185] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.193] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.193] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.194] GetProcessHeap () returned 0xa10000 [0281.194] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.194] GetProcessHeap () returned 0xa10000 [0281.194] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.194] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.194] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.203] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.203] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.203] GetProcessHeap () returned 0xa10000 [0281.203] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.205] GetProcessHeap () returned 0xa10000 [0281.205] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.206] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.206] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.215] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.215] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.216] GetProcessHeap () returned 0xa10000 [0281.216] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.216] GetProcessHeap () returned 0xa10000 [0281.216] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.216] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.216] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.232] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.232] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.233] GetProcessHeap () returned 0xa10000 [0281.233] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.233] GetProcessHeap () returned 0xa10000 [0281.233] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.233] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.233] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.241] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.241] GetProcessHeap () returned 0xa10000 [0281.241] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.243] GetProcessHeap () returned 0xa10000 [0281.243] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.244] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.244] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.253] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.253] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.254] GetProcessHeap () returned 0xa10000 [0281.254] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.254] GetProcessHeap () returned 0xa10000 [0281.254] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.254] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.254] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.262] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.262] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.263] GetProcessHeap () returned 0xa10000 [0281.263] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.263] GetProcessHeap () returned 0xa10000 [0281.263] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.263] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.263] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.278] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.278] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.279] GetProcessHeap () returned 0xa10000 [0281.279] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.280] GetProcessHeap () returned 0xa10000 [0281.280] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.282] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.282] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.295] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.295] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.296] GetProcessHeap () returned 0xa10000 [0281.296] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.296] GetProcessHeap () returned 0xa10000 [0281.296] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.296] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.296] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.305] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.305] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.305] GetProcessHeap () returned 0xa10000 [0281.305] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.305] GetProcessHeap () returned 0xa10000 [0281.305] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.305] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.306] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.315] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.315] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.316] GetProcessHeap () returned 0xa10000 [0281.316] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.317] GetProcessHeap () returned 0xa10000 [0281.317] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.318] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.319] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.405] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.405] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.406] GetProcessHeap () returned 0xa10000 [0281.406] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.406] GetProcessHeap () returned 0xa10000 [0281.406] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.406] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.406] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.413] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.413] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.414] GetProcessHeap () returned 0xa10000 [0281.414] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.414] GetProcessHeap () returned 0xa10000 [0281.414] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.414] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.414] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.446] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.446] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.447] GetProcessHeap () returned 0xa10000 [0281.447] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.448] GetProcessHeap () returned 0xa10000 [0281.448] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.450] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.450] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.459] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.459] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.460] GetProcessHeap () returned 0xa10000 [0281.460] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.460] GetProcessHeap () returned 0xa10000 [0281.460] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.460] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.460] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.546] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.546] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.548] GetProcessHeap () returned 0xa10000 [0281.548] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.548] GetProcessHeap () returned 0xa10000 [0281.548] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.548] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.548] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.558] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.558] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.558] GetProcessHeap () returned 0xa10000 [0281.558] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.560] GetProcessHeap () returned 0xa10000 [0281.560] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.561] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.561] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.574] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.574] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.604] GetProcessHeap () returned 0xa10000 [0281.605] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.607] GetProcessHeap () returned 0xa10000 [0281.607] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.608] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.608] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.618] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.618] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.618] GetProcessHeap () returned 0xa10000 [0281.619] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.619] GetProcessHeap () returned 0xa10000 [0281.619] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.619] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.619] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.642] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.642] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.643] GetProcessHeap () returned 0xa10000 [0281.643] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.645] GetProcessHeap () returned 0xa10000 [0281.645] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.646] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.646] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.658] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.658] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.659] GetProcessHeap () returned 0xa10000 [0281.659] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.659] GetProcessHeap () returned 0xa10000 [0281.659] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.659] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.659] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.667] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.667] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.668] GetProcessHeap () returned 0xa10000 [0281.668] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.668] GetProcessHeap () returned 0xa10000 [0281.668] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.668] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.668] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.677] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.678] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.678] GetProcessHeap () returned 0xa10000 [0281.678] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.680] GetProcessHeap () returned 0xa10000 [0281.680] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.681] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.681] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.692] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.692] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.693] GetProcessHeap () returned 0xa10000 [0281.693] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.693] GetProcessHeap () returned 0xa10000 [0281.693] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.693] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.693] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.718] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.718] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.719] GetProcessHeap () returned 0xa10000 [0281.719] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.719] GetProcessHeap () returned 0xa10000 [0281.719] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.719] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.719] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.732] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.732] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.733] GetProcessHeap () returned 0xa10000 [0281.733] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.736] GetProcessHeap () returned 0xa10000 [0281.736] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.738] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.738] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.750] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.750] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.751] GetProcessHeap () returned 0xa10000 [0281.751] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.751] GetProcessHeap () returned 0xa10000 [0281.751] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.751] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.751] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.761] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.761] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.762] GetProcessHeap () returned 0xa10000 [0281.762] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.762] GetProcessHeap () returned 0xa10000 [0281.762] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.762] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.762] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.780] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.780] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.781] GetProcessHeap () returned 0xa10000 [0281.781] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.782] GetProcessHeap () returned 0xa10000 [0281.782] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.783] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.784] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.794] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.794] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.795] GetProcessHeap () returned 0xa10000 [0281.795] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.795] GetProcessHeap () returned 0xa10000 [0281.795] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.795] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.795] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.833] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.834] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.834] GetProcessHeap () returned 0xa10000 [0281.834] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.834] GetProcessHeap () returned 0xa10000 [0281.834] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.834] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.834] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.844] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.844] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.845] GetProcessHeap () returned 0xa10000 [0281.845] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.847] GetProcessHeap () returned 0xa10000 [0281.847] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.848] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.848] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.868] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.868] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.868] GetProcessHeap () returned 0xa10000 [0281.868] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.868] GetProcessHeap () returned 0xa10000 [0281.868] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.868] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.868] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.878] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.878] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.879] GetProcessHeap () returned 0xa10000 [0281.879] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.879] GetProcessHeap () returned 0xa10000 [0281.879] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.879] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.879] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.887] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.887] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.887] GetProcessHeap () returned 0xa10000 [0281.888] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.889] GetProcessHeap () returned 0xa10000 [0281.889] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.890] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.892] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.904] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.904] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.904] GetProcessHeap () returned 0xa10000 [0281.904] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.904] GetProcessHeap () returned 0xa10000 [0281.904] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.905] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.905] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.921] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.922] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.923] GetProcessHeap () returned 0xa10000 [0281.923] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.923] GetProcessHeap () returned 0xa10000 [0281.923] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.923] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.923] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.932] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.932] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.932] GetProcessHeap () returned 0xa10000 [0281.932] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.934] GetProcessHeap () returned 0xa10000 [0281.934] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1e848) returned 0xa3f6a8 [0281.936] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.936] ReadFile (in: hFile=0x274, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee62c*=0x1e848, lpOverlapped=0x0) returned 1 [0281.945] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0281.945] WriteFile (in: hFile=0x274, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee620*=0x1e848, lpOverlapped=0x0) returned 1 [0281.946] GetProcessHeap () returned 0xa10000 [0281.946] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0281.946] CloseHandle (hObject=0x274) returned 1 [0282.444] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0282.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0282.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.445] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de5b0 [0282.445] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\baseimagefam8"), lpNewFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8.NEFILIM" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\baseimagefam8.nefilim")) returned 1 [0282.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de5b0 | out: hHeap=0x28d0000) returned 1 [0282.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de528 | out: hHeap=0x28d0000) returned 1 [0282.446] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa315c98a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4eba475, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="baseimagefam8", cAlternateFileName="BASEIM~1")) returned 0 [0282.446] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0282.448] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4a0 | out: hHeap=0x28d0000) returned 1 [0282.448] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0282.448] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.448] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="javapath", cAlternateFileName="")) returned 1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2=".") returned 1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="..") returned 1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="...") returned 1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="windows") returned -1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="$RECYCLE.BIN") returned 1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="rsa") returned -1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="NTDETECT.COM") returned -1 [0282.448] lstrcmpiW (lpString1="javapath", lpString2="ntldr") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="MSDOS.SYS") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="IO.SYS") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="boot.ini") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="AUTOEXEC.BAT") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="ntuser.dat") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="desktop.ini") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="CONFIG.SYS") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="RECYCLER") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="BOOTSECT.BAK") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="bootmgr") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="programdata") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="appdata") returned 1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="program files") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="program files (x86)") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="microsoft") returned -1 [0282.449] lstrcmpiW (lpString1="javapath", lpString2="sophos") returned -1 [0282.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de318 [0282.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x76) returned 0x28dbe70 [0282.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0282.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de318 [0282.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de380 [0282.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de3e8 [0282.449] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\javapath\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x79000178, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.450] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.450] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="..", cAlternateFileName="")) returned 1 [0282.451] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.451] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.451] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="java.exe", cAlternateFileName="")) returned 1 [0282.451] lstrcmpiW (lpString1="java.exe", lpString2=".") returned 1 [0282.451] lstrcmpiW (lpString1="java.exe", lpString2="..") returned 1 [0282.451] lstrcmpiW (lpString1="java.exe", lpString2="...") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="windows") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="rsa") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="NTDETECT.COM") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="ntldr") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="MSDOS.SYS") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="IO.SYS") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="boot.ini") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="ntuser.dat") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="desktop.ini") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="CONFIG.SYS") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="RECYCLER") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="bootmgr") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="programdata") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="appdata") returned 1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="program files") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="program files (x86)") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="microsoft") returned -1 [0282.452] lstrcmpiW (lpString1="java.exe", lpString2="sophos") returned -1 [0282.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de450 [0282.452] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3e8 | out: hHeap=0x28d0000) returned 1 [0282.452] PathFindExtensionW (pszPath="java.exe") returned=".exe" [0282.452] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.452] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0282.452] lstrcmpiW (lpString1="javaw.exe", lpString2=".") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="..") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="...") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="windows") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="rsa") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="NTDETECT.COM") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="ntldr") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="MSDOS.SYS") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="IO.SYS") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="boot.ini") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="ntuser.dat") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="desktop.ini") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="CONFIG.SYS") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="RECYCLER") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="bootmgr") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="programdata") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="appdata") returned 1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="program files") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="program files (x86)") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="microsoft") returned -1 [0282.453] lstrcmpiW (lpString1="javaw.exe", lpString2="sophos") returned -1 [0282.453] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de4c8 [0282.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de450 | out: hHeap=0x28d0000) returned 1 [0282.453] PathFindExtensionW (pszPath="javaw.exe") returned=".exe" [0282.454] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.454] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2=".") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="..") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="...") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="windows") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="rsa") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="NTDETECT.COM") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="ntldr") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="MSDOS.SYS") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="IO.SYS") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="boot.ini") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="ntuser.dat") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="desktop.ini") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="CONFIG.SYS") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="RECYCLER") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="bootmgr") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="programdata") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="appdata") returned 1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="program files") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="program files (x86)") returned -1 [0282.454] lstrcmpiW (lpString1="javaws.exe", lpString2="microsoft") returned -1 [0282.455] lstrcmpiW (lpString1="javaws.exe", lpString2="sophos") returned -1 [0282.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de3e8 [0282.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4c8 | out: hHeap=0x28d0000) returned 1 [0282.455] PathFindExtensionW (pszPath="javaws.exe") returned=".exe" [0282.455] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.455] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="javaws.exe", cAlternateFileName="")) returned 0 [0282.455] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3e8 | out: hHeap=0x28d0000) returned 1 [0282.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de380 | out: hHeap=0x28d0000) returned 1 [0282.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.455] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2=".") returned 1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="..") returned 1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="...") returned 1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="windows") returned -1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="$RECYCLE.BIN") returned 1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="rsa") returned -1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="NTDETECT.COM") returned -1 [0282.455] lstrcmpiW (lpString1="javapath_target_474984", lpString2="ntldr") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="MSDOS.SYS") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="IO.SYS") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="boot.ini") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="AUTOEXEC.BAT") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="ntuser.dat") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="desktop.ini") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="CONFIG.SYS") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="RECYCLER") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="BOOTSECT.BAK") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="bootmgr") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="programdata") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="appdata") returned 1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="program files") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="program files (x86)") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="microsoft") returned -1 [0282.456] lstrcmpiW (lpString1="javapath_target_474984", lpString2="sophos") returned -1 [0282.456] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0282.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0282.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0282.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de390 [0282.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de408 [0282.457] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x79000178, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.457] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.457] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="..", cAlternateFileName="")) returned 1 [0282.457] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.457] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.457] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="java.exe", cAlternateFileName="")) returned 1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2=".") returned 1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2="..") returned 1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2="...") returned 1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2="windows") returned -1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2="rsa") returned -1 [0282.457] lstrcmpiW (lpString1="java.exe", lpString2="NTDETECT.COM") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="ntldr") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="MSDOS.SYS") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="IO.SYS") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="boot.ini") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="ntuser.dat") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="desktop.ini") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="CONFIG.SYS") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="RECYCLER") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="bootmgr") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="programdata") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="appdata") returned 1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="program files") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="program files (x86)") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="microsoft") returned -1 [0282.458] lstrcmpiW (lpString1="java.exe", lpString2="sophos") returned -1 [0282.458] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de490 [0282.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0282.458] PathFindExtensionW (pszPath="java.exe") returned=".exe" [0282.458] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.458] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0282.458] lstrcmpiW (lpString1="javaw.exe", lpString2=".") returned 1 [0282.458] lstrcmpiW (lpString1="javaw.exe", lpString2="..") returned 1 [0282.458] lstrcmpiW (lpString1="javaw.exe", lpString2="...") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="windows") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="rsa") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="NTDETECT.COM") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="ntldr") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="MSDOS.SYS") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="IO.SYS") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="boot.ini") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="ntuser.dat") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="desktop.ini") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="CONFIG.SYS") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="RECYCLER") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="bootmgr") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="programdata") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="appdata") returned 1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="program files") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="program files (x86)") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="microsoft") returned -1 [0282.459] lstrcmpiW (lpString1="javaw.exe", lpString2="sophos") returned -1 [0282.459] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de408 [0282.459] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de490 | out: hHeap=0x28d0000) returned 1 [0282.459] PathFindExtensionW (pszPath="javaw.exe") returned=".exe" [0282.459] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.459] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2=".") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="..") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="...") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="windows") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="rsa") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="NTDETECT.COM") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="ntldr") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="MSDOS.SYS") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="IO.SYS") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="boot.ini") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="ntuser.dat") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="desktop.ini") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="CONFIG.SYS") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="RECYCLER") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="bootmgr") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="programdata") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="appdata") returned 1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="program files") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="program files (x86)") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="microsoft") returned -1 [0282.460] lstrcmpiW (lpString1="javaws.exe", lpString2="sophos") returned -1 [0282.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de490 [0282.460] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0282.460] PathFindExtensionW (pszPath="javaws.exe") returned=".exe" [0282.460] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.460] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0x79000178, cFileName="javaws.exe", cAlternateFileName="")) returned 0 [0282.461] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de490 | out: hHeap=0x28d0000) returned 1 [0282.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0282.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0282.461] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 0 [0282.461] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0282.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe28 | out: hHeap=0x28d0000) returned 1 [0282.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0282.461] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0282.461] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0282.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde0 | out: hHeap=0x28d0000) returned 1 [0282.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0282.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0282.462] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2=".") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="..") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="...") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="windows") returned -1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="$RECYCLE.BIN") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="rsa") returned -1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="NTDETECT.COM") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="ntldr") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="MSDOS.SYS") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="IO.SYS") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="boot.ini") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="AUTOEXEC.BAT") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="ntuser.dat") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="desktop.ini") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="CONFIG.SYS") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="RECYCLER") returned -1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="BOOTSECT.BAK") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="bootmgr") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="programdata") returned -1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="appdata") returned 1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="program files") returned -1 [0282.462] lstrcmpiW (lpString1="Package Cache", lpString2="program files (x86)") returned -1 [0282.463] lstrcmpiW (lpString1="Package Cache", lpString2="microsoft") returned 1 [0282.463] lstrcmpiW (lpString1="Package Cache", lpString2="sophos") returned -1 [0282.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd08 [0282.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd60 [0282.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdb8 [0282.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe10 [0282.463] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0282.464] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.464] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.464] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.464] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.464] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="...") returned 1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="windows") returned -1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="rsa") returned -1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0282.464] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntldr") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="IO.SYS") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="boot.ini") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntuser.dat") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="desktop.ini") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="RECYCLER") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="bootmgr") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="programdata") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="appdata") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files (x86)") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="microsoft") returned -1 [0282.465] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="sophos") returned -1 [0282.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.465] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.465] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.466] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.467] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.467] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.467] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.468] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.468] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.468] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.468] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.468] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0282.469] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.469] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.469] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.469] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.469] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0282.469] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="microsoft") returned 1 [0282.470] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="sophos") returned 1 [0282.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.470] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb48 [0282.470] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f620 [0282.470] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.471] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.471] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.471] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.471] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.471] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.472] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.472] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.472] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0282.472] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.472] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.472] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.472] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.472] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.472] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0282.472] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0282.473] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0282.473] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="microsoft") returned 1 [0282.473] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="sophos") returned 1 [0282.473] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28deb48 [0282.473] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0282.473] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.473] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.473] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.473] FindClose (in: hFindFile=0xa2f620 | out: hFindFile=0xa2f620) returned 1 [0282.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.474] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0282.474] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0282.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.474] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.474] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0282.474] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.475] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="...") returned 1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="windows") returned -1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$RECYCLE.BIN") returned 1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="rsa") returned -1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="NTDETECT.COM") returned -1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntldr") returned -1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="MSDOS.SYS") returned -1 [0282.475] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="IO.SYS") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="boot.ini") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="AUTOEXEC.BAT") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntuser.dat") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="desktop.ini") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="CONFIG.SYS") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="RECYCLER") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="BOOTSECT.BAK") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="bootmgr") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="programdata") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="appdata") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files (x86)") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="microsoft") returned -1 [0282.476] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="sophos") returned -1 [0282.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbe10 [0282.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd6) returned 0x28de3d0 [0282.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de318 [0282.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbe10 [0282.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de4b0 [0282.476] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0282.476] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.476] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.477] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.478] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.478] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x354d9570, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0282.478] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0282.478] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de558 [0282.479] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4b0 | out: hHeap=0x28d0000) returned 1 [0282.479] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0282.479] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0282.479] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.479] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de610 [0282.479] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0282.480] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=626) returned 1 [0282.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0282.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0282.480] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0282.480] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0282.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0282.480] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0282.480] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0282.481] GetTickCount () returned 0x1186be7 [0282.481] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0282.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.481] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x272, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.481] SetLastError (dwErrCode=0x0) [0282.481] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.483] GetLastError () returned 0x0 [0282.483] GetLastError () returned 0x0 [0282.483] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x372, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.483] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.484] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x472, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.484] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xceb18c6f, dwHighDateTime=0x1d5fd73)) [0282.484] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0282.484] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.484] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0282.484] GetProcessHeap () returned 0xa10000 [0282.484] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x272) returned 0xa34b88 [0282.484] GetSystemDefaultLangID () returned 0xa20409 [0282.484] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.484] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x272, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x272, lpOverlapped=0x0) returned 1 [0282.484] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.505] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x272, lpOverlapped=0x0) returned 1 [0282.505] GetProcessHeap () returned 0xa10000 [0282.505] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.505] CloseHandle (hObject=0x270) returned 1 [0282.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0282.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6c8 [0282.508] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.nefilim")) returned 1 [0282.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6c8 | out: hHeap=0x28d0000) returned 1 [0282.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0282.509] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xcef30371, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0282.509] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0282.509] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0282.509] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0282.509] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0282.509] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.510] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0282.510] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="NTDETECT.COM") returned 1 [0282.510] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntldr") returned 1 [0282.510] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="MSDOS.SYS") returned 1 [0282.510] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="IO.SYS") returned 1 [0282.510] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="boot.ini") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="desktop.ini") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="CONFIG.SYS") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="RECYCLER") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="bootmgr") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="microsoft") returned 1 [0282.511] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="sophos") returned 1 [0282.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de610 [0282.511] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de558 | out: hHeap=0x28d0000) returned 1 [0282.511] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0282.511] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.512] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xcef30371, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0282.512] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0282.512] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0282.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.513] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="...") returned 1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="windows") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="rsa") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntldr") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="IO.SYS") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="boot.ini") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0282.513] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntuser.dat") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="desktop.ini") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="RECYCLER") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="bootmgr") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="programdata") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="appdata") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files (x86)") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="microsoft") returned -1 [0282.514] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="sophos") returned -1 [0282.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.514] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.520] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.520] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.520] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.521] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.521] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.521] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.521] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.521] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.522] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.523] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.523] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0282.525] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.525] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.525] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.525] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.525] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0282.525] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0282.526] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0282.527] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0282.527] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0282.527] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0282.527] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="microsoft") returned 1 [0282.527] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="sophos") returned 1 [0282.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.527] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0282.527] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0282.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.528] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.528] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb69f0b00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xb69f0b00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xb69f0b00, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.528] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.528] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.528] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.529] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.530] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.530] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0282.530] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0282.530] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.530] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.530] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.530] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.530] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x5197e500, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.530] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0282.531] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0282.532] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="microsoft") returned 1 [0282.533] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="sophos") returned 1 [0282.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x130) returned 0x28deb48 [0282.533] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0282.533] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.533] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.534] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.534] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.534] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.534] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.534] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.534] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x5197e500, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.534] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0282.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.534] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0282.534] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0282.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.535] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.535] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.535] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="...") returned 1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="windows") returned -1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$RECYCLE.BIN") returned 1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="rsa") returned -1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="NTDETECT.COM") returned -1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntldr") returned -1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="MSDOS.SYS") returned -1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="IO.SYS") returned -1 [0282.535] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="boot.ini") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="AUTOEXEC.BAT") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntuser.dat") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="desktop.ini") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="CONFIG.SYS") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="RECYCLER") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="BOOTSECT.BAK") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="bootmgr") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="programdata") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="appdata") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files (x86)") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="microsoft") returned -1 [0282.536] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="sophos") returned -1 [0282.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbe10 [0282.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd6) returned 0x28de3d0 [0282.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de318 [0282.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbe10 [0282.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de4b0 [0282.537] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0282.537] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.537] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.537] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.537] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.537] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40b2b5b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd40b2b5b, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x3639a1f2, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0282.537] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0282.537] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0282.537] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0282.538] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0282.539] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0282.539] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de558 [0282.539] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4b0 | out: hHeap=0x28d0000) returned 1 [0282.539] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0282.539] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0282.540] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0282.540] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0282.540] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0282.540] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de610 [0282.540] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0282.541] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=638) returned 1 [0282.541] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0282.541] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0282.541] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0282.542] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0282.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0282.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0282.542] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0282.544] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0282.546] GetTickCount () returned 0x1186c35 [0282.546] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0282.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.546] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x27e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.546] SetLastError (dwErrCode=0x0) [0282.546] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.549] GetLastError () returned 0x0 [0282.549] GetLastError () returned 0x0 [0282.549] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.549] WriteFile (in: hFile=0x270, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.549] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcebaf987, dwHighDateTime=0x1d5fd73)) [0282.550] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0282.550] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.550] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0282.550] GetProcessHeap () returned 0xa10000 [0282.550] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x27e) returned 0xa34b88 [0282.550] GetSystemDefaultLangID () returned 0xa20409 [0282.550] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.550] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x27e, lpOverlapped=0x0) returned 1 [0282.550] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.550] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x27e, lpOverlapped=0x0) returned 1 [0282.550] GetProcessHeap () returned 0xa10000 [0282.550] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.550] CloseHandle (hObject=0x270) returned 1 [0282.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0282.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0282.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0282.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6c8 [0282.560] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.nefilim")) returned 1 [0282.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6c8 | out: hHeap=0x28d0000) returned 1 [0282.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0282.561] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd4040448, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="NTDETECT.COM") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntldr") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="MSDOS.SYS") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="IO.SYS") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="boot.ini") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.561] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="desktop.ini") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="CONFIG.SYS") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="RECYCLER") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="bootmgr") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="microsoft") returned 1 [0282.562] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="sophos") returned 1 [0282.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de610 [0282.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de558 | out: hHeap=0x28d0000) returned 1 [0282.562] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0282.562] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.562] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd4040448, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0282.562] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0282.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0282.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.562] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0282.562] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0282.562] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0282.562] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="...") returned 1 [0282.562] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="windows") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="rsa") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntldr") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="IO.SYS") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="boot.ini") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntuser.dat") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="desktop.ini") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="RECYCLER") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="bootmgr") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="programdata") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="appdata") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files (x86)") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="microsoft") returned -1 [0282.563] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="sophos") returned -1 [0282.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.564] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0282.565] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.565] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.565] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.565] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.565] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.566] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.566] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.566] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.566] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de798 [0282.566] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0282.566] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.566] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.566] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.566] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.566] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0282.566] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="microsoft") returned 1 [0282.567] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="sophos") returned 1 [0282.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de870 [0282.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de968 [0282.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea60 [0282.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb58 [0282.568] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0282.568] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.568] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.568] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.568] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.568] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf81cb00, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xdf81cb00, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xdf81cb00, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.568] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.569] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.569] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0282.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb58 | out: hHeap=0x28d0000) returned 1 [0282.569] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.569] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.569] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.569] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.569] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x93af200, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.569] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0282.569] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0282.569] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="microsoft") returned 1 [0282.570] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="sophos") returned 1 [0282.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28deb58 [0282.570] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0282.570] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0282.570] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.570] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.570] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.571] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.571] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x93af200, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.571] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0282.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb58 | out: hHeap=0x28d0000) returned 1 [0282.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea60 | out: hHeap=0x28d0000) returned 1 [0282.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de968 | out: hHeap=0x28d0000) returned 1 [0282.571] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0282.571] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0282.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de870 | out: hHeap=0x28d0000) returned 1 [0282.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.572] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.572] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0282.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.572] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="...") returned 1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="windows") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="rsa") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntldr") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="IO.SYS") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="boot.ini") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntuser.dat") returned -1 [0282.572] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="desktop.ini") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="RECYCLER") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="bootmgr") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="programdata") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="appdata") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files (x86)") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="microsoft") returned -1 [0282.573] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="sophos") returned -1 [0282.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.573] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0282.574] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.574] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.574] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.574] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.574] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.574] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.575] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.575] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de798 [0282.576] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0282.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.576] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.576] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.576] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.576] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0282.576] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="microsoft") returned 1 [0282.577] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="sophos") returned 1 [0282.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de870 [0282.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de968 [0282.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea60 [0282.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0282.577] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f760 [0282.577] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.577] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.577] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.577] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe1e42500, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.577] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.578] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.578] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0282.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0282.578] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.578] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.578] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.578] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.578] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xcce7900, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="microsoft") returned 1 [0282.579] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="sophos") returned 1 [0282.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x130) returned 0x28deb58 [0282.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0282.579] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0282.579] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.579] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.579] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.580] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.580] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xcce7900, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.580] FindClose (in: hFindFile=0xa2f760 | out: hFindFile=0xa2f760) returned 1 [0282.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb58 | out: hHeap=0x28d0000) returned 1 [0282.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea60 | out: hHeap=0x28d0000) returned 1 [0282.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de968 | out: hHeap=0x28d0000) returned 1 [0282.580] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0282.580] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0282.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de870 | out: hHeap=0x28d0000) returned 1 [0282.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.580] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.580] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0282.582] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.582] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.582] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.582] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="...") returned 1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="windows") returned -1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="rsa") returned -1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntldr") returned -1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0282.582] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="IO.SYS") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="boot.ini") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntuser.dat") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="desktop.ini") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="RECYCLER") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="bootmgr") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="programdata") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="appdata") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files (x86)") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="microsoft") returned -1 [0282.583] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="sophos") returned -1 [0282.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.583] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0282.598] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.598] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.599] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.599] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.599] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.599] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.599] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.600] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.600] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de798 [0282.601] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0282.601] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.601] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.601] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.601] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.601] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0282.601] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="microsoft") returned 1 [0282.602] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="sophos") returned 1 [0282.602] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de870 [0282.602] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.602] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de968 [0282.602] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea60 [0282.602] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb58 [0282.602] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.603] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.603] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.603] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.603] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.603] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe1e42500, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.603] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.604] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.604] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0282.604] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb58 | out: hHeap=0x28d0000) returned 1 [0282.604] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.604] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.604] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.604] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.604] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xb9d4c00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0282.604] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="microsoft") returned 1 [0282.605] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="sophos") returned 1 [0282.605] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28deb58 [0282.605] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.605] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.605] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.606] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.606] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.606] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xb9d4c00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.606] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb58 | out: hHeap=0x28d0000) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea60 | out: hHeap=0x28d0000) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de968 | out: hHeap=0x28d0000) returned 1 [0282.606] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0282.606] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de870 | out: hHeap=0x28d0000) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.606] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.606] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.606] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0282.606] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0282.606] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="...") returned 1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="windows") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="rsa") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntldr") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="IO.SYS") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="boot.ini") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntuser.dat") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="desktop.ini") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="RECYCLER") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="bootmgr") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="programdata") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="appdata") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files (x86)") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="microsoft") returned -1 [0282.607] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="sophos") returned -1 [0282.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.607] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.608] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.608] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.608] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.608] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.608] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.608] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.608] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.608] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.609] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.609] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0282.610] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.610] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.610] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.610] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.610] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0282.610] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="microsoft") returned 1 [0282.611] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="sophos") returned 1 [0282.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.611] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.611] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0282.611] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0282.612] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.612] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.612] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.612] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.612] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8abe5b00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x8abe5b00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x8abe5b00, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.612] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.613] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.613] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.613] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.613] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.613] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.613] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.613] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0282.613] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="microsoft") returned 1 [0282.614] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="sophos") returned 1 [0282.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x130) returned 0x28deb48 [0282.614] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.614] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.614] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.614] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.614] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.615] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0282.615] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.615] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.615] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.615] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0282.615] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0282.615] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0282.615] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="...") returned 1 [0282.615] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="windows") returned -1 [0282.615] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="rsa") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntldr") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="IO.SYS") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="boot.ini") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntuser.dat") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="desktop.ini") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="RECYCLER") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="bootmgr") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="programdata") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="appdata") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files (x86)") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="microsoft") returned -1 [0282.616] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="sophos") returned -1 [0282.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.616] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0282.617] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.617] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.617] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.617] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.617] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.617] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.618] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.618] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.618] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0282.619] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.619] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.619] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.619] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.619] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0282.619] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="microsoft") returned 1 [0282.620] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="sophos") returned 1 [0282.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.620] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb48 [0282.620] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.620] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.620] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.620] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.620] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.620] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898d2e00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x898d2e00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x898d2e00, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.620] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.621] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.621] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0282.621] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.621] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.621] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.621] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.621] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.622] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="microsoft") returned 1 [0282.622] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="sophos") returned 1 [0282.622] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28deb48 [0282.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0282.623] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.623] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.623] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.623] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.623] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0282.624] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0282.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.624] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.624] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0282.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.624] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="...") returned 1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="windows") returned -1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="rsa") returned -1 [0282.624] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntldr") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="IO.SYS") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="boot.ini") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntuser.dat") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="desktop.ini") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="RECYCLER") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="bootmgr") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="programdata") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="appdata") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files (x86)") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="microsoft") returned -1 [0282.625] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="sophos") returned -1 [0282.625] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.625] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.625] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.625] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.625] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.625] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.627] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.627] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.627] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.627] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.627] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.627] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.628] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.628] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.628] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.628] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.628] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.628] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.628] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0282.628] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.628] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.628] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.628] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.628] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0282.628] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0282.628] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0282.628] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0282.628] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0282.628] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="microsoft") returned 1 [0282.629] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="sophos") returned 1 [0282.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb48 [0282.629] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0282.630] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.630] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.630] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.630] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.630] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d1a600, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x98d1a600, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0x98d1a600, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.630] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.631] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.631] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.631] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.631] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0282.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.631] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.631] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.631] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.631] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.631] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0282.631] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="microsoft") returned 1 [0282.632] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="sophos") returned 1 [0282.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x130) returned 0x28deb48 [0282.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.632] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.632] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.633] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.633] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.633] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0282.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.633] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0282.633] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0282.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.633] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.633] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.633] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.634] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="...") returned 1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="windows") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="rsa") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntldr") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="IO.SYS") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="boot.ini") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntuser.dat") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="desktop.ini") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="RECYCLER") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="bootmgr") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="programdata") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="appdata") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files (x86)") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="microsoft") returned -1 [0282.634] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="sophos") returned -1 [0282.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.635] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.635] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0282.635] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.635] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.636] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.636] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.637] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.637] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0282.637] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.637] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.637] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.637] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.637] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0282.637] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="microsoft") returned 1 [0282.638] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="sophos") returned 1 [0282.638] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.638] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.638] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.638] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.638] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb48 [0282.638] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f620 [0282.638] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.638] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.638] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.639] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.639] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966f4c00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x966f4c00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0x966f4c00, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.639] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.639] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.639] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.639] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.639] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.639] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.639] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.640] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="microsoft") returned 1 [0282.640] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="sophos") returned 1 [0282.640] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28deb48 [0282.640] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.640] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0282.640] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.640] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.640] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.641] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.641] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.641] FindClose (in: hFindFile=0xa2f620 | out: hFindFile=0xa2f620) returned 1 [0282.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.641] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0282.641] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0282.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.641] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.642] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0282.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.642] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="...") returned 1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="windows") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$RECYCLE.BIN") returned 1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="rsa") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="NTDETECT.COM") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntldr") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="MSDOS.SYS") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="IO.SYS") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="boot.ini") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="AUTOEXEC.BAT") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntuser.dat") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="desktop.ini") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="CONFIG.SYS") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="RECYCLER") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="BOOTSECT.BAK") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="bootmgr") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="programdata") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="appdata") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files (x86)") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="microsoft") returned -1 [0282.642] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="sophos") returned -1 [0282.642] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbe10 [0282.643] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd6) returned 0x28de3d0 [0282.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.643] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de318 [0282.643] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbe10 [0282.643] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de4b0 [0282.643] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0282.644] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.644] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.644] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.644] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.644] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x359ea6b6, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0282.644] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0282.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de558 [0282.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4b0 | out: hHeap=0x28d0000) returned 1 [0282.645] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0282.645] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0282.645] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de610 [0282.646] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0282.647] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=626) returned 1 [0282.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0282.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0282.647] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0282.647] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0282.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0282.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0282.647] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0282.647] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0282.649] GetTickCount () returned 0x1186c93 [0282.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0282.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.649] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x272, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.649] SetLastError (dwErrCode=0x0) [0282.649] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.652] GetLastError () returned 0x0 [0282.652] GetLastError () returned 0x0 [0282.652] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x372, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.652] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.652] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x472, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcecbacf9, dwHighDateTime=0x1d5fd73)) [0282.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0282.653] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.653] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0282.653] GetProcessHeap () returned 0xa10000 [0282.653] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x272) returned 0xa34b88 [0282.653] GetSystemDefaultLangID () returned 0xa20409 [0282.653] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.653] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x272, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x272, lpOverlapped=0x0) returned 1 [0282.653] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.653] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x272, lpOverlapped=0x0) returned 1 [0282.653] GetProcessHeap () returned 0xa10000 [0282.653] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.653] CloseHandle (hObject=0x270) returned 1 [0282.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0282.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0282.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0282.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0282.655] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6c8 [0282.655] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.nefilim")) returned 1 [0282.660] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6c8 | out: hHeap=0x28d0000) returned 1 [0282.660] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0282.660] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd0a02b30, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="NTDETECT.COM") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntldr") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="MSDOS.SYS") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="IO.SYS") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="boot.ini") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.660] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="desktop.ini") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="CONFIG.SYS") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="RECYCLER") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="bootmgr") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="microsoft") returned 1 [0282.661] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="sophos") returned 1 [0282.661] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de610 [0282.661] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de558 | out: hHeap=0x28d0000) returned 1 [0282.661] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0282.661] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.661] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd0a02b30, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0282.661] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0282.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0282.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.663] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="...") returned 1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="windows") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="rsa") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntldr") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="IO.SYS") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="boot.ini") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntuser.dat") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="desktop.ini") returned -1 [0282.663] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="RECYCLER") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="bootmgr") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="programdata") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="appdata") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files (x86)") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="microsoft") returned -1 [0282.664] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="sophos") returned -1 [0282.664] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.664] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.664] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.664] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.664] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.664] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f960 [0282.665] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.665] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.665] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.665] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.665] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.665] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.665] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.665] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.666] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.666] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.666] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.667] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0282.667] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.667] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.667] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.667] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.667] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0282.667] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0282.668] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0282.669] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0282.669] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="microsoft") returned 1 [0282.669] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="sophos") returned 1 [0282.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb48 [0282.669] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0282.669] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.669] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.669] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.669] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.669] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4bd6800, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xa4bd6800, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xa4bd6800, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.669] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.669] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.669] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.669] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.670] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.670] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0282.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.670] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.670] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.670] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.671] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.671] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x683e3c00, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="microsoft") returned 1 [0282.671] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="sophos") returned 1 [0282.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28deb48 [0282.672] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0282.672] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.672] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.672] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x683e3c00, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.672] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0282.672] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.672] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.673] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0282.673] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0282.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.673] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.673] FindClose (in: hFindFile=0xa2f960 | out: hFindFile=0xa2f960) returned 1 [0282.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.674] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.674] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0282.674] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0282.674] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0282.674] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="...") returned 1 [0282.674] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="windows") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="rsa") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntldr") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="IO.SYS") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="boot.ini") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntuser.dat") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="desktop.ini") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="RECYCLER") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="bootmgr") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="programdata") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="appdata") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files (x86)") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="microsoft") returned -1 [0282.675] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="sophos") returned -1 [0282.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.676] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0282.676] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.676] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.677] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.677] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.677] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.677] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.678] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.678] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de798 [0282.678] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0282.679] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.679] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.679] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.679] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.679] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0282.679] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="microsoft") returned 1 [0282.680] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="sophos") returned 1 [0282.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de870 [0282.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de968 [0282.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea60 [0282.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0282.680] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0282.680] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.680] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.681] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.681] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.681] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90b3300, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe90b3300, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe90b3300, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.681] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.682] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.682] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0282.682] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.682] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.682] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.682] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.682] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x11932d00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0282.682] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0282.683] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0282.683] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0282.683] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0282.683] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="microsoft") returned 1 [0282.683] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="sophos") returned 1 [0282.683] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x130) returned 0x28deb58 [0282.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.683] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.683] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.683] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x11932d00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.689] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0282.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb58 | out: hHeap=0x28d0000) returned 1 [0282.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea60 | out: hHeap=0x28d0000) returned 1 [0282.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de968 | out: hHeap=0x28d0000) returned 1 [0282.689] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0282.692] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0282.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de870 | out: hHeap=0x28d0000) returned 1 [0282.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.693] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.693] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0282.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.693] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="...") returned 1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="windows") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$RECYCLE.BIN") returned 1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="rsa") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="NTDETECT.COM") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntldr") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="MSDOS.SYS") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="IO.SYS") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="boot.ini") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="AUTOEXEC.BAT") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntuser.dat") returned -1 [0282.693] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="desktop.ini") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="CONFIG.SYS") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="RECYCLER") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="BOOTSECT.BAK") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="bootmgr") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="programdata") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="appdata") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files (x86)") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="microsoft") returned -1 [0282.694] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="sophos") returned -1 [0282.694] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0282.694] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd6) returned 0x28de3b0 [0282.694] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.694] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.694] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbe10 [0282.694] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de490 [0282.694] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de538 [0282.694] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f620 [0282.695] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.695] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.695] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.695] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.695] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x37687158, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0282.695] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0282.696] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0282.696] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0282.696] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0282.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de5e0 [0282.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de538 | out: hHeap=0x28d0000) returned 1 [0282.696] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0282.696] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0282.696] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de698 [0282.696] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0282.697] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=750) returned 1 [0282.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0282.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0282.698] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0282.698] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0282.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0282.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0282.698] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0282.698] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0282.701] GetTickCount () returned 0x1186cd1 [0282.701] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0282.701] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.701] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.701] SetLastError (dwErrCode=0x0) [0282.701] WriteFile (in: hFile=0x270, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.731] GetLastError () returned 0x0 [0282.731] GetLastError () returned 0x0 [0282.731] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.731] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.732] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.732] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xced62d38, dwHighDateTime=0x1d5fd73)) [0282.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0282.732] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.732] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0282.732] GetProcessHeap () returned 0xa10000 [0282.732] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2ee) returned 0xa34b88 [0282.732] GetSystemDefaultLangID () returned 0xa20409 [0282.732] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.732] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x2ee, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x2ee, lpOverlapped=0x0) returned 1 [0282.732] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.732] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x2ee, lpOverlapped=0x0) returned 1 [0282.733] GetProcessHeap () returned 0xa10000 [0282.733] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.733] CloseHandle (hObject=0x270) returned 1 [0282.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0282.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0282.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0282.736] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de750 [0282.736] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.nefilim")) returned 1 [0282.737] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de750 | out: hHeap=0x28d0000) returned 1 [0282.737] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de698 | out: hHeap=0x28d0000) returned 1 [0282.737] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc6f54ba, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2=".") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="..") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="...") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="windows") returned -1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="rsa") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="NTDETECT.COM") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntldr") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="MSDOS.SYS") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="IO.SYS") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="boot.ini") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.737] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntuser.dat") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="desktop.ini") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="CONFIG.SYS") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="RECYCLER") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="bootmgr") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="programdata") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="appdata") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files (x86)") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="microsoft") returned 1 [0282.738] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="sophos") returned 1 [0282.738] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de698 [0282.738] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de5e0 | out: hHeap=0x28d0000) returned 1 [0282.738] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0282.738] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.738] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc6f54ba, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0282.738] FindClose (in: hFindFile=0xa2f620 | out: hFindFile=0xa2f620) returned 1 [0282.739] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de698 | out: hHeap=0x28d0000) returned 1 [0282.739] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de490 | out: hHeap=0x28d0000) returned 1 [0282.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.740] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="...") returned 1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="windows") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$RECYCLE.BIN") returned 1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="rsa") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="NTDETECT.COM") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntldr") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="MSDOS.SYS") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="IO.SYS") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="boot.ini") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="AUTOEXEC.BAT") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntuser.dat") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="desktop.ini") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="CONFIG.SYS") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="RECYCLER") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="BOOTSECT.BAK") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="bootmgr") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="programdata") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="appdata") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files (x86)") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="microsoft") returned -1 [0282.740] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="sophos") returned -1 [0282.741] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0282.741] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd6) returned 0x28dbe10 [0282.741] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.741] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0282.741] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de318 [0282.741] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de3c0 [0282.741] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de468 [0282.741] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x6a00016b, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0282.741] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.741] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x6a00016b, cFileName="..", cAlternateFileName="")) returned 1 [0282.741] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.741] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.741] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x35efb7db, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x0, dwReserved1=0x6a00016b, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0282.741] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0282.742] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0282.742] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de510 [0282.742] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de468 | out: hHeap=0x28d0000) returned 1 [0282.742] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0282.743] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0282.743] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de5c8 [0282.743] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0282.809] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=638) returned 1 [0282.809] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0282.810] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0282.810] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0282.810] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0282.810] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0282.810] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0282.810] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0282.811] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0282.811] GetTickCount () returned 0x1186d2f [0282.811] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0282.811] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.811] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x27e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.811] SetLastError (dwErrCode=0x0) [0282.811] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.813] GetLastError () returned 0x0 [0282.813] GetLastError () returned 0x0 [0282.813] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.813] WriteFile (in: hFile=0x270, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.814] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.814] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcee21d11, dwHighDateTime=0x1d5fd73)) [0282.814] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0282.814] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.814] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0282.814] GetProcessHeap () returned 0xa10000 [0282.814] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x27e) returned 0xa34b88 [0282.814] GetSystemDefaultLangID () returned 0xa20409 [0282.814] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.814] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x27e, lpOverlapped=0x0) returned 1 [0282.814] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.814] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x27e, lpOverlapped=0x0) returned 1 [0282.814] GetProcessHeap () returned 0xa10000 [0282.814] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.814] CloseHandle (hObject=0x270) returned 1 [0282.816] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.816] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0282.816] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.816] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0282.816] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de680 [0282.816] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.nefilim")) returned 1 [0282.817] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de680 | out: hHeap=0x28d0000) returned 1 [0282.817] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de5c8 | out: hHeap=0x28d0000) returned 1 [0282.817] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd2547a05, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x6a00016b, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0282.817] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0282.817] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0282.817] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0282.817] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0282.817] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="NTDETECT.COM") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntldr") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="MSDOS.SYS") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="IO.SYS") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="boot.ini") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="desktop.ini") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="CONFIG.SYS") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="RECYCLER") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="bootmgr") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="microsoft") returned 1 [0282.818] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="sophos") returned 1 [0282.818] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de5c8 [0282.819] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de510 | out: hHeap=0x28d0000) returned 1 [0282.819] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0282.819] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.819] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd2547a05, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x6a00016b, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0282.819] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0282.819] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de5c8 | out: hHeap=0x28d0000) returned 1 [0282.819] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3c0 | out: hHeap=0x28d0000) returned 1 [0282.819] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.819] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="...") returned 1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="windows") returned -1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$RECYCLE.BIN") returned 1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="rsa") returned -1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="NTDETECT.COM") returned -1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntldr") returned -1 [0282.819] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="MSDOS.SYS") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="IO.SYS") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="boot.ini") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="AUTOEXEC.BAT") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntuser.dat") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="desktop.ini") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="CONFIG.SYS") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="RECYCLER") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="BOOTSECT.BAK") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="bootmgr") returned -1 [0282.820] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="programdata") returned -1 [0282.821] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="appdata") returned -1 [0282.821] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files") returned -1 [0282.821] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files (x86)") returned -1 [0282.821] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="microsoft") returned -1 [0282.821] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="sophos") returned -1 [0282.821] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0282.821] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd6) returned 0x28de3b0 [0282.821] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.821] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.821] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbe10 [0282.821] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de490 [0282.821] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de538 [0282.821] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0282.822] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.822] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.822] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.822] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.822] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x3714fdce, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0282.822] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0282.823] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de5e0 [0282.823] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de538 | out: hHeap=0x28d0000) returned 1 [0282.823] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0282.823] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0282.823] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.823] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de698 [0282.824] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0282.824] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=750) returned 1 [0282.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0282.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0282.824] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0282.824] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0282.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0282.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.824] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0282.844] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0282.845] GetTickCount () returned 0x1186d4e [0282.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0282.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.845] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.845] SetLastError (dwErrCode=0x0) [0282.845] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.910] GetLastError () returned 0x0 [0282.910] GetLastError () returned 0x0 [0282.910] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.910] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0282.911] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.911] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcef2cd61, dwHighDateTime=0x1d5fd73)) [0282.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0282.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0282.911] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0282.911] GetProcessHeap () returned 0xa10000 [0282.911] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2ee) returned 0xa34b88 [0282.911] GetSystemDefaultLangID () returned 0xa20409 [0282.911] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.911] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x2ee, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x2ee, lpOverlapped=0x0) returned 1 [0282.911] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.911] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x2ee, lpOverlapped=0x0) returned 1 [0282.911] GetProcessHeap () returned 0xa10000 [0282.911] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.911] CloseHandle (hObject=0x270) returned 1 [0282.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0282.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0282.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0282.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de750 [0282.913] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.nefilim")) returned 1 [0282.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de750 | out: hHeap=0x28d0000) returned 1 [0282.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de698 | out: hHeap=0x28d0000) returned 1 [0282.914] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd99f4dad, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2=".") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="..") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="...") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="windows") returned -1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="rsa") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="NTDETECT.COM") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntldr") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="MSDOS.SYS") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="IO.SYS") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="boot.ini") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntuser.dat") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="desktop.ini") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="CONFIG.SYS") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="RECYCLER") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="bootmgr") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="programdata") returned 1 [0282.914] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="appdata") returned 1 [0282.915] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files") returned 1 [0282.915] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files (x86)") returned 1 [0282.915] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="microsoft") returned 1 [0282.915] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="sophos") returned 1 [0282.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de698 [0282.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de5e0 | out: hHeap=0x28d0000) returned 1 [0282.915] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0282.915] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0282.915] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd99f4dad, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0282.915] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0282.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de698 | out: hHeap=0x28d0000) returned 1 [0282.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de490 | out: hHeap=0x28d0000) returned 1 [0282.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.915] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="...") returned 1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="windows") returned -1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="rsa") returned -1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntldr") returned -1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="IO.SYS") returned -1 [0282.915] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="boot.ini") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntuser.dat") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="desktop.ini") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="RECYCLER") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="bootmgr") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="programdata") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="appdata") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files (x86)") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="microsoft") returned -1 [0282.916] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="sophos") returned -1 [0282.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe10 [0282.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0282.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de318 [0282.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de3d0 [0282.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28de488 [0282.916] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0282.916] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.916] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0282.917] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.917] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.917] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0282.917] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0282.918] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0282.918] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0282.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de540 [0282.918] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de488 | out: hHeap=0x28d0000) returned 1 [0282.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de608 [0282.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de6d0 [0282.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de798 [0282.918] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0282.918] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.918] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.918] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.918] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.918] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0282.918] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="microsoft") returned 1 [0282.919] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="sophos") returned 1 [0282.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de860 [0282.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0282.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de958 [0282.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28dea50 [0282.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28deb48 [0282.919] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0282.920] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.920] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.920] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.920] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.920] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6151ff00, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x6151ff00, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x6151ff00, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0282.920] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0282.921] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0282.921] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.921] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0282.921] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0282.921] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0282.921] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0282.921] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5dbe7800, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="microsoft") returned 1 [0282.922] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="sophos") returned 1 [0282.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x130) returned 0x28deb48 [0282.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.922] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0282.922] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0282.923] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0282.923] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5dbe7800, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0282.923] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0282.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb48 | out: hHeap=0x28d0000) returned 1 [0282.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0282.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de958 | out: hHeap=0x28d0000) returned 1 [0282.923] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0282.923] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0282.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de860 | out: hHeap=0x28d0000) returned 1 [0282.924] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6d0 | out: hHeap=0x28d0000) returned 1 [0282.924] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de608 | out: hHeap=0x28d0000) returned 1 [0282.924] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0282.924] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0282.924] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de540 | out: hHeap=0x28d0000) returned 1 [0282.924] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3d0 | out: hHeap=0x28d0000) returned 1 [0282.924] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.924] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0282.924] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0282.925] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0282.925] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb8 | out: hHeap=0x28d0000) returned 1 [0282.925] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd60 | out: hHeap=0x28d0000) returned 1 [0282.925] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0282.925] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2=".") returned 1 [0282.925] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="..") returned 1 [0282.925] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="...") returned 1 [0282.925] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="windows") returned -1 [0282.925] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="$RECYCLE.BIN") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="rsa") returned -1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="NTDETECT.COM") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="ntldr") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="MSDOS.SYS") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="IO.SYS") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="boot.ini") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="AUTOEXEC.BAT") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="ntuser.dat") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="desktop.ini") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="CONFIG.SYS") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="RECYCLER") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="BOOTSECT.BAK") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="bootmgr") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="programdata") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="appdata") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="program files") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="program files (x86)") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="microsoft") returned 1 [0282.926] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="sophos") returned -1 [0282.926] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd60 [0282.926] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0282.926] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0282.926] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdc8 [0282.926] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe30 [0282.926] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0282.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0282.964] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0282.965] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0282.965] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0282.965] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x4af5600b, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf1446700, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2=".") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="..") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="...") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="windows") returned -1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="rsa") returned -1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="NTDETECT.COM") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="ntldr") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="MSDOS.SYS") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="IO.SYS") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="boot.ini") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="ntuser.dat") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="desktop.ini") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="CONFIG.SYS") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="RECYCLER") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0282.965] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="bootmgr") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="programdata") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="appdata") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="program files") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="program files (x86)") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="microsoft") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="sophos") returned -1 [0282.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x110) returned 0x28de318 [0282.966] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0282.966] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0282.966] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0282.966] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0282.966] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x110) returned 0x28de430 [0282.967] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0282.968] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=1072) returned 1 [0282.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0282.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0282.968] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0282.968] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0282.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0282.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0282.968] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x100) returned 1 [0282.970] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26eec04*=0x100) returned 1 [0282.972] GetTickCount () returned 0x1186ddb [0282.972] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd28 [0282.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0282.972] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.972] SetLastError (dwErrCode=0x0) [0282.972] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0282.976] GetLastError () returned 0x0 [0282.976] GetLastError () returned 0x0 [0282.976] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.976] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0282.976] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xcefc5847, dwHighDateTime=0x1d5fd73)) [0282.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe30 [0282.976] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0282.976] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0282.976] GetProcessHeap () returned 0xa10000 [0282.976] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x430) returned 0xa34b88 [0282.976] GetSystemDefaultLangID () returned 0xa20409 [0282.976] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.976] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x430, lpOverlapped=0x0) returned 1 [0282.977] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.977] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x430, lpOverlapped=0x0) returned 1 [0282.977] GetProcessHeap () returned 0xa10000 [0282.977] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.977] CloseHandle (hObject=0x26c) returned 1 [0282.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0282.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0282.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0282.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28de548 [0282.980] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag.nefilim")) returned 1 [0282.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de548 | out: hHeap=0x28d0000) returned 1 [0282.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de430 | out: hHeap=0x28d0000) returned 1 [0282.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0282.981] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbfefc00, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0xda9f4a95, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbfefc00, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2=".") returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="..") returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="...") returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="windows") returned -1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="rsa") returned -1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="NTDETECT.COM") returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="ntldr") returned 1 [0282.981] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="MSDOS.SYS") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="IO.SYS") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="boot.ini") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="ntuser.dat") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="desktop.ini") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="CONFIG.SYS") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="RECYCLER") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="bootmgr") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="programdata") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="appdata") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="program files") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="program files (x86)") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="microsoft") returned 1 [0282.982] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="sophos") returned -1 [0282.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0282.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.982] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0282.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0282.983] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0282.983] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0282.984] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0282.987] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=1068) returned 1 [0282.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0282.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0282.987] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0282.987] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0282.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0282.987] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0282.988] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0282.989] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0282.990] GetTickCount () returned 0x1186dea [0282.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd28 [0282.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0282.990] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x42c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.990] SetLastError (dwErrCode=0x0) [0282.991] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0282.993] GetLastError () returned 0x0 [0282.993] GetLastError () returned 0x0 [0282.993] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.993] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0282.993] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x62c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.993] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xcefebd99, dwHighDateTime=0x1d5fd73)) [0282.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe30 [0282.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0282.993] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0282.993] GetProcessHeap () returned 0xa10000 [0282.993] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x42c) returned 0xa34b88 [0282.993] GetSystemDefaultLangID () returned 0xa20409 [0282.993] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.993] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x42c, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x42c, lpOverlapped=0x0) returned 1 [0282.994] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0282.994] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x42c, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x42c, lpOverlapped=0x0) returned 1 [0282.994] GetProcessHeap () returned 0xa10000 [0282.994] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0282.994] CloseHandle (hObject=0x26c) returned 1 [0282.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0282.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0282.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0282.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0282.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x110) returned 0x28de318 [0282.995] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag.nefilim")) returned 1 [0282.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0282.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0282.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0282.996] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x53fba98c, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf1446700, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~4.SWI")) returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2=".") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="..") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="...") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="windows") returned -1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="rsa") returned -1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="NTDETECT.COM") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="ntldr") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="MSDOS.SYS") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="IO.SYS") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="boot.ini") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="ntuser.dat") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="desktop.ini") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="CONFIG.SYS") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="RECYCLER") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="bootmgr") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="programdata") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="appdata") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="program files") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="program files (x86)") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="microsoft") returned 1 [0282.997] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="sophos") returned -1 [0282.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x110) returned 0x28de318 [0282.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0282.997] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0282.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0282.998] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0282.998] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0282.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x110) returned 0x28de430 [0282.998] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0282.999] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=1071) returned 1 [0282.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.000] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.000] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0283.000] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0283.001] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0283.003] GetTickCount () returned 0x1186dfa [0283.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd28 [0283.003] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0283.003] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x42f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.003] SetLastError (dwErrCode=0x0) [0283.003] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0283.013] GetLastError () returned 0x0 [0283.013] GetLastError () returned 0x0 [0283.013] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.013] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0283.013] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x62f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.013] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xcf011b89, dwHighDateTime=0x1d5fd73)) [0283.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe30 [0283.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0283.013] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0283.013] GetProcessHeap () returned 0xa10000 [0283.013] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x42f) returned 0xa34b88 [0283.014] GetSystemDefaultLangID () returned 0xa20409 [0283.014] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.014] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x42f, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x42f, lpOverlapped=0x0) returned 1 [0283.014] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.014] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x42f, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x42f, lpOverlapped=0x0) returned 1 [0283.014] GetProcessHeap () returned 0xa10000 [0283.014] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0283.014] CloseHandle (hObject=0x26c) returned 1 [0283.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0283.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.016] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x120) returned 0x28de548 [0283.016] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag.nefilim")) returned 1 [0283.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de548 | out: hHeap=0x28d0000) returned 1 [0283.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de430 | out: hHeap=0x28d0000) returned 1 [0283.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0283.017] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x6f2e8f23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2=".") returned 1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="..") returned 1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="...") returned 1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="windows") returned -1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="rsa") returned -1 [0283.017] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="NTDETECT.COM") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="ntldr") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="MSDOS.SYS") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="IO.SYS") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="boot.ini") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="ntuser.dat") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="desktop.ini") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="CONFIG.SYS") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="RECYCLER") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="bootmgr") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="programdata") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="appdata") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="program files") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="program files (x86)") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="microsoft") returned 1 [0283.018] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="sophos") returned -1 [0283.018] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28dbe30 [0283.018] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.018] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned=".swidtag" [0283.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0283.019] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0283.019] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de318 [0283.019] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0283.020] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=997) returned 1 [0283.020] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0283.020] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.020] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0283.020] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.020] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0283.020] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0283.020] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0283.021] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0283.022] GetTickCount () returned 0x1186e0a [0283.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd28 [0283.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0283.022] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3e5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.023] SetLastError (dwErrCode=0x0) [0283.023] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0283.029] GetLastError () returned 0x0 [0283.029] GetLastError () returned 0x0 [0283.029] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4e5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.029] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0283.029] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5e5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.029] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xcf037dc1, dwHighDateTime=0x1d5fd73)) [0283.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de3f0 [0283.030] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3f0 | out: hHeap=0x28d0000) returned 1 [0283.030] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0283.030] GetProcessHeap () returned 0xa10000 [0283.030] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3e5) returned 0xa34b88 [0283.030] GetSystemDefaultLangID () returned 0xa20409 [0283.030] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.030] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x3e5, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x3e5, lpOverlapped=0x0) returned 1 [0283.030] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.030] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x3e5, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x3e5, lpOverlapped=0x0) returned 1 [0283.030] GetProcessHeap () returned 0xa10000 [0283.030] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0283.030] CloseHandle (hObject=0x26c) returned 1 [0283.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0283.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0283.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0283.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.032] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28de3f0 [0283.032] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag.nefilim")) returned 1 [0283.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3f0 | out: hHeap=0x28d0000) returned 1 [0283.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0283.033] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x6f2e8f23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 0 [0283.033] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0283.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0283.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdc8 | out: hHeap=0x28d0000) returned 1 [0283.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0283.033] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2=".") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="..") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="...") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="windows") returned -1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="$RECYCLE.BIN") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="rsa") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="NTDETECT.COM") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="ntldr") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="MSDOS.SYS") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="IO.SYS") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="boot.ini") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="AUTOEXEC.BAT") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="ntuser.dat") returned 1 [0283.033] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="desktop.ini") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="CONFIG.SYS") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="RECYCLER") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="BOOTSECT.BAK") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="bootmgr") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="programdata") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="appdata") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="program files") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="program files (x86)") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="microsoft") returned 1 [0283.034] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="sophos") returned -1 [0283.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0283.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x76) returned 0x28dbdc8 [0283.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0283.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd60 | out: hHeap=0x28d0000) returned 1 [0283.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe48 [0283.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0283.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0283.034] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0283.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0283.035] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 1 [0283.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0283.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0283.035] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 0 [0283.035] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0283.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0283.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0283.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0283.035] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0283.035] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="microsoft") returned 1 [0283.036] lstrcmpiW (lpString1="Start Menu", lpString2="sophos") returned 1 [0283.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe48 [0283.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdc8 | out: hHeap=0x28d0000) returned 1 [0283.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0283.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0283.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd08 [0283.036] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Start Menu\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x6000006, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x31000031, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x21000021, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="", cAlternateFileName="ɮ⊺\x01뺐ʍ빈ʍ<")) returned 0xffffffff [0283.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0283.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0283.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0283.037] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="microsoft") returned 1 [0283.037] lstrcmpiW (lpString1="Templates", lpString2="sophos") returned 1 [0283.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0283.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0283.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0283.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0283.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd50 [0283.038] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Templates\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x9b00019a, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x6000006, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x31000031, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뺐ʍ:")) returned 0xffffffff [0283.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0283.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0283.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0283.038] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2=".") returned 1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2="..") returned 1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2="...") returned 1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2="windows") returned -1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2="$RECYCLE.BIN") returned 1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2="rsa") returned 1 [0283.038] lstrcmpiW (lpString1="USOPrivate", lpString2="NTDETECT.COM") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="ntldr") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="MSDOS.SYS") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="IO.SYS") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="boot.ini") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="AUTOEXEC.BAT") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="ntuser.dat") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="desktop.ini") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="CONFIG.SYS") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="RECYCLER") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="BOOTSECT.BAK") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="bootmgr") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="programdata") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="appdata") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="program files") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="program files (x86)") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="microsoft") returned 1 [0283.039] lstrcmpiW (lpString1="USOPrivate", lpString2="sophos") returned 1 [0283.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0283.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0283.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0283.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0283.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0283.039] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName=".", cAlternateFileName="")) returned 0xa2f360 [0283.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0283.040] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 1 [0283.040] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0283.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0283.040] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94d99379, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x94d99379, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2=".") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="..") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="...") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="windows") returned -1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="$RECYCLE.BIN") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="rsa") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="NTDETECT.COM") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="ntldr") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="MSDOS.SYS") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="IO.SYS") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="boot.ini") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="AUTOEXEC.BAT") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="ntuser.dat") returned 1 [0283.040] lstrcmpiW (lpString1="UpdateStore", lpString2="desktop.ini") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="CONFIG.SYS") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="RECYCLER") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="BOOTSECT.BAK") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="bootmgr") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="programdata") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="appdata") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="program files") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="program files (x86)") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="microsoft") returned 1 [0283.041] lstrcmpiW (lpString1="UpdateStore", lpString2="sophos") returned 1 [0283.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf0 [0283.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0283.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe58 [0283.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de318 [0283.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de380 [0283.041] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94d99379, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x94d99379, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0283.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0283.041] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94d99379, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x94d99379, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.043] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0283.043] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0283.043] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc9086d4, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xdc9086d4, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xdc9086d4, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateCspStore.xml", cAlternateFileName="UPDATE~2.XML")) returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2=".") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="..") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="...") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="windows") returned -1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="$RECYCLE.BIN") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="rsa") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="NTDETECT.COM") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="ntldr") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="MSDOS.SYS") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="IO.SYS") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="boot.ini") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="AUTOEXEC.BAT") returned 1 [0283.043] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="ntuser.dat") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="desktop.ini") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="CONFIG.SYS") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="RECYCLER") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="BOOTSECT.BAK") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="bootmgr") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="programdata") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="appdata") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="program files") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="program files (x86)") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="microsoft") returned 1 [0283.044] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="sophos") returned 1 [0283.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3e8 [0283.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de380 | out: hHeap=0x28d0000) returned 1 [0283.044] PathFindExtensionW (pszPath="UpdateCspStore.xml") returned=".xml" [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0283.044] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0283.045] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0283.045] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0283.045] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0283.045] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0283.045] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0283.045] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de470 [0283.045] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatecspstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.047] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=26) returned 1 [0283.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.047] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.047] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0283.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0283.047] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.048] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.049] GetTickCount () returned 0x1186e19 [0283.049] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec0 [0283.050] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec0 | out: hHeap=0x28d0000) returned 1 [0283.050] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.050] SetLastError (dwErrCode=0x0) [0283.050] WriteFile (in: hFile=0x270, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.052] GetLastError () returned 0x0 [0283.052] GetLastError () returned 0x0 [0283.052] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.052] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.052] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x21a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.052] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf0841ea, dwHighDateTime=0x1d5fd73)) [0283.052] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbec0 [0283.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec0 | out: hHeap=0x28d0000) returned 1 [0283.052] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.052] GetProcessHeap () returned 0xa10000 [0283.052] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1a) returned 0xa30360 [0283.052] GetSystemDefaultLangID () returned 0xa20409 [0283.053] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.053] ReadFile (in: hFile=0x270, lpBuffer=0xa30360, nNumberOfBytesToRead=0x1a, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa30360*, lpNumberOfBytesRead=0x26ee94c*=0x1a, lpOverlapped=0x0) returned 1 [0283.053] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.053] WriteFile (in: hFile=0x270, lpBuffer=0xa30360*, nNumberOfBytesToWrite=0x1a, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa30360*, lpNumberOfBytesWritten=0x26ee940*=0x1a, lpOverlapped=0x0) returned 1 [0283.053] GetProcessHeap () returned 0xa10000 [0283.053] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa30360 | out: hHeap=0xa10000) returned 1 [0283.053] CloseHandle (hObject=0x270) returned 1 [0283.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0283.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0283.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.054] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de4f8 [0283.054] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatecspstore.xml"), lpNewFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml.NEFILIM" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatecspstore.xml.nefilim")) returned 1 [0283.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4f8 | out: hHeap=0x28d0000) returned 1 [0283.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de470 | out: hHeap=0x28d0000) returned 1 [0283.055] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x948c0c1a, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x94ca38cb, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2=".") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="..") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="...") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="windows") returned -1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="$RECYCLE.BIN") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="rsa") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="NTDETECT.COM") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="ntldr") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="MSDOS.SYS") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="IO.SYS") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="boot.ini") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="AUTOEXEC.BAT") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="ntuser.dat") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="desktop.ini") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="CONFIG.SYS") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="RECYCLER") returned 1 [0283.055] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="BOOTSECT.BAK") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="bootmgr") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="programdata") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="appdata") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="program files") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="program files (x86)") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="microsoft") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="sophos") returned 1 [0283.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de470 [0283.056] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3e8 | out: hHeap=0x28d0000) returned 1 [0283.056] PathFindExtensionW (pszPath="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned=".xml" [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0283.056] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0283.056] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.056] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28de380 [0283.056] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.057] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=1444) returned 1 [0283.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.057] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.057] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.057] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.059] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.061] GetTickCount () returned 0x1186e29 [0283.061] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec0 [0283.061] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec0 | out: hHeap=0x28d0000) returned 1 [0283.061] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.061] SetLastError (dwErrCode=0x0) [0283.061] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.062] GetLastError () returned 0x0 [0283.062] GetLastError () returned 0x0 [0283.062] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x6a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.062] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.062] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.062] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf0841ea, dwHighDateTime=0x1d5fd73)) [0283.062] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbec0 [0283.062] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec0 | out: hHeap=0x28d0000) returned 1 [0283.062] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.062] GetProcessHeap () returned 0xa10000 [0283.062] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5a4) returned 0xa34b88 [0283.062] GetSystemDefaultLangID () returned 0xa20409 [0283.062] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.062] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x5a4, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x5a4, lpOverlapped=0x0) returned 1 [0283.062] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.063] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x5a4, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x5a4, lpOverlapped=0x0) returned 1 [0283.063] GetProcessHeap () returned 0xa10000 [0283.063] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0283.063] CloseHandle (hObject=0x270) returned 1 [0283.066] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.066] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.066] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.066] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.066] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28de538 [0283.067] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), lpNewFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.NEFILIM" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.nefilim")) returned 1 [0283.067] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de538 | out: hHeap=0x28d0000) returned 1 [0283.067] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de380 | out: hHeap=0x28d0000) returned 1 [0283.067] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x948c0c1a, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x94ca38cb, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 0 [0283.068] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0283.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de470 | out: hHeap=0x28d0000) returned 1 [0283.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0283.068] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x94d99379, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x94d99379, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0 [0283.068] FindClose (in: hFindFile=0xa2f360 | out: hFindFile=0xa2f360) returned 1 [0283.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0283.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0283.068] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0283.068] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2=".") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="..") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="...") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="windows") returned -1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="$RECYCLE.BIN") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="rsa") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="NTDETECT.COM") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="ntldr") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="MSDOS.SYS") returned 1 [0283.068] lstrcmpiW (lpString1="USOShared", lpString2="IO.SYS") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="boot.ini") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="AUTOEXEC.BAT") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="ntuser.dat") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="desktop.ini") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="CONFIG.SYS") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="RECYCLER") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="BOOTSECT.BAK") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="bootmgr") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="programdata") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="appdata") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="program files") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="program files (x86)") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="microsoft") returned 1 [0283.069] lstrcmpiW (lpString1="USOShared", lpString2="sophos") returned 1 [0283.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0283.069] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0283.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0283.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0283.069] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0283.069] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0283.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0283.070] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 1 [0283.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0283.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0283.070] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc3cd5f58, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xc3cd5f58, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="Logs", cAlternateFileName="")) returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0283.070] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0283.071] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0283.071] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0283.071] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0283.071] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0283.071] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0283.071] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0283.071] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0283.071] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0283.071] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0283.071] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe48 [0283.071] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbea0 [0283.071] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc3cd5f58, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xc3cd5f58, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0283.072] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0283.072] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc3cd5f58, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xc3cd5f58, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.073] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0283.073] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0283.073] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x58d51fd9, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x597705f5, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUx.001.etl", cAlternateFileName="NOBE5B~1.ETL")) returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2=".") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="..") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="...") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="windows") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="rsa") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="NTDETECT.COM") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="ntldr") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="MSDOS.SYS") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="IO.SYS") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="boot.ini") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="ntuser.dat") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="desktop.ini") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="CONFIG.SYS") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="RECYCLER") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="bootmgr") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="programdata") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="appdata") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="program files") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="program files (x86)") returned -1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="microsoft") returned 1 [0283.073] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="sophos") returned -1 [0283.073] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.074] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.074] PathFindExtensionW (pszPath="NotificationUx.001.etl") returned=".etl" [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.074] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.074] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.074] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.074] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.075] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.075] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.075] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.075] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0283.075] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.076] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.076] GetTickCount () returned 0x1186e38 [0283.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.076] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.076] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.076] SetLastError (dwErrCode=0x0) [0283.076] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.077] GetLastError () returned 0x0 [0283.077] GetLastError () returned 0x0 [0283.077] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.077] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.077] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.077] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf0abd6a, dwHighDateTime=0x1d5fd73)) [0283.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.077] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.077] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.078] GetProcessHeap () returned 0xa10000 [0283.078] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.078] GetSystemDefaultLangID () returned 0xa20409 [0283.078] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.078] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.110] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.110] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.111] GetProcessHeap () returned 0xa10000 [0283.111] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.111] CloseHandle (hObject=0x270) returned 1 [0283.112] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0283.112] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0283.112] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.112] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.112] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.001.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.001.etl.nefilim")) returned 1 [0283.113] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.113] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.113] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7cf76e0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x852e502, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUx.002.etl", cAlternateFileName="NOTIFI~2.ETL")) returned 1 [0283.113] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2=".") returned 1 [0283.113] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="..") returned 1 [0283.113] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="...") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="windows") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="rsa") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="NTDETECT.COM") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="ntldr") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="MSDOS.SYS") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="IO.SYS") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="boot.ini") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="ntuser.dat") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="desktop.ini") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="CONFIG.SYS") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="RECYCLER") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="bootmgr") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="programdata") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="appdata") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="program files") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="program files (x86)") returned -1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="microsoft") returned 1 [0283.114] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="sophos") returned -1 [0283.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.114] PathFindExtensionW (pszPath="NotificationUx.002.etl") returned=".etl" [0283.114] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.114] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.114] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.114] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.115] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.115] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.115] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.115] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.116] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.116] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.116] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0283.116] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.117] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.117] GetTickCount () returned 0x1186e67 [0283.117] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.117] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.117] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.117] SetLastError (dwErrCode=0x0) [0283.117] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.118] GetLastError () returned 0x0 [0283.118] GetLastError () returned 0x0 [0283.118] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.118] WriteFile (in: hFile=0x270, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.118] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf11d01d, dwHighDateTime=0x1d5fd73)) [0283.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.118] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.119] GetProcessHeap () returned 0xa10000 [0283.119] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.119] GetSystemDefaultLangID () returned 0xa20409 [0283.119] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.119] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.128] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.128] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.128] GetProcessHeap () returned 0xa10000 [0283.128] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.128] CloseHandle (hObject=0x270) returned 1 [0283.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0283.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.130] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.002.etl.nefilim")) returned 1 [0283.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.131] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2d822f20, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x2efd472c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.001.etl", cAlternateFileName="NO604C~1.ETL")) returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2=".") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="..") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="...") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="windows") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="rsa") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="NTDETECT.COM") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="ntldr") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="MSDOS.SYS") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="IO.SYS") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="boot.ini") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="ntuser.dat") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="desktop.ini") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="CONFIG.SYS") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="RECYCLER") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="bootmgr") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="programdata") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="appdata") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="program files") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="program files (x86)") returned -1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="microsoft") returned 1 [0283.131] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="sophos") returned -1 [0283.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.132] PathFindExtensionW (pszPath="NotificationUxBroker.001.etl") returned=".etl" [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.132] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.132] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.132] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.132] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.134] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.134] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.134] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0283.134] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.135] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.135] GetTickCount () returned 0x1186e77 [0283.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.135] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.135] SetLastError (dwErrCode=0x0) [0283.135] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.136] GetLastError () returned 0x0 [0283.136] GetLastError () returned 0x0 [0283.136] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.136] WriteFile (in: hFile=0x270, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.136] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.136] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf142e29, dwHighDateTime=0x1d5fd73)) [0283.136] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.136] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.136] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.136] GetProcessHeap () returned 0xa10000 [0283.137] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.137] GetSystemDefaultLangID () returned 0xa20409 [0283.137] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.137] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.152] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.152] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.153] GetProcessHeap () returned 0xa10000 [0283.153] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.153] CloseHandle (hObject=0x270) returned 1 [0283.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0283.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.168] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.001.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.001.etl.nefilim")) returned 1 [0283.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.169] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfe554d51, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0xfe782447, ftLastWriteTime.dwHighDateTime=0x1d3375a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.002.etl", cAlternateFileName="NO8BA4~1.ETL")) returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2=".") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="..") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="...") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="windows") returned -1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="rsa") returned -1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="NTDETECT.COM") returned -1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="ntldr") returned -1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="MSDOS.SYS") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="IO.SYS") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="boot.ini") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="ntuser.dat") returned -1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="desktop.ini") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="CONFIG.SYS") returned 1 [0283.169] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="RECYCLER") returned -1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="bootmgr") returned 1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="programdata") returned -1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="appdata") returned 1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="program files") returned -1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="program files (x86)") returned -1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="microsoft") returned 1 [0283.170] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="sophos") returned -1 [0283.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.170] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.170] PathFindExtensionW (pszPath="NotificationUxBroker.002.etl") returned=".etl" [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.170] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.171] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.171] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.171] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.171] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.172] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0283.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.172] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0283.173] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0283.173] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.173] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.174] GetTickCount () returned 0x1186e96 [0283.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.174] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.174] SetLastError (dwErrCode=0x0) [0283.174] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.175] GetLastError () returned 0x0 [0283.175] GetLastError () returned 0x0 [0283.176] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.176] WriteFile (in: hFile=0x270, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.176] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.176] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf1b5537, dwHighDateTime=0x1d5fd73)) [0283.176] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.176] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.176] GetProcessHeap () returned 0xa10000 [0283.176] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.177] GetSystemDefaultLangID () returned 0xa20409 [0283.177] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.177] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.234] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.234] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.234] GetProcessHeap () returned 0xa10000 [0283.235] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.235] CloseHandle (hObject=0x270) returned 1 [0283.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0283.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0283.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0283.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.236] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.236] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.002.etl.nefilim")) returned 1 [0283.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.237] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfdf01be1, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfdfc06a7, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.003.etl", cAlternateFileName="NO3670~1.ETL")) returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2=".") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="..") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="...") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="windows") returned -1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="rsa") returned -1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="NTDETECT.COM") returned -1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="ntldr") returned -1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="MSDOS.SYS") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="IO.SYS") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="boot.ini") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.237] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="ntuser.dat") returned -1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="desktop.ini") returned 1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="CONFIG.SYS") returned 1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="RECYCLER") returned -1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="bootmgr") returned 1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="programdata") returned -1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="appdata") returned 1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="program files") returned -1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="program files (x86)") returned -1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="microsoft") returned 1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="sophos") returned -1 [0283.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.238] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.238] PathFindExtensionW (pszPath="NotificationUxBroker.003.etl") returned=".etl" [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.238] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.238] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.239] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.239] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.239] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.239] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.239] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.241] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.242] GetTickCount () returned 0x1186ee4 [0283.242] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.242] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.242] SetLastError (dwErrCode=0x0) [0283.242] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.244] GetLastError () returned 0x0 [0283.244] GetLastError () returned 0x0 [0283.244] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.244] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.244] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.244] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf24df30, dwHighDateTime=0x1d5fd73)) [0283.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.244] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.244] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.244] GetProcessHeap () returned 0xa10000 [0283.244] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.244] GetSystemDefaultLangID () returned 0xa20409 [0283.244] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.244] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.350] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.350] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.350] GetProcessHeap () returned 0xa10000 [0283.350] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.350] CloseHandle (hObject=0x270) returned 1 [0283.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.352] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.352] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.352] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.352] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.003.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.003.etl.nefilim")) returned 1 [0283.353] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.353] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.353] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x588b3c6a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x59ae67c8, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.004.etl", cAlternateFileName="NO2FB3~1.ETL")) returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2=".") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="..") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="...") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="windows") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="rsa") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="NTDETECT.COM") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="ntldr") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="MSDOS.SYS") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="IO.SYS") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="boot.ini") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="ntuser.dat") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="desktop.ini") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="CONFIG.SYS") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="RECYCLER") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="bootmgr") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="programdata") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="appdata") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="program files") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="program files (x86)") returned -1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="microsoft") returned 1 [0283.353] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="sophos") returned -1 [0283.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.353] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.353] PathFindExtensionW (pszPath="NotificationUxBroker.004.etl") returned=".etl" [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.354] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.354] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.354] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.355] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.355] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.355] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0283.355] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.355] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0283.355] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.355] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0283.355] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.355] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.355] GetTickCount () returned 0x1186f52 [0283.355] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.355] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.355] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.356] SetLastError (dwErrCode=0x0) [0283.356] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.357] GetLastError () returned 0x0 [0283.357] GetLastError () returned 0x0 [0283.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.357] WriteFile (in: hFile=0x270, lpBuffer=0x2d21408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21408*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.357] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf358e77, dwHighDateTime=0x1d5fd73)) [0283.357] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.357] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.357] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.357] GetProcessHeap () returned 0xa10000 [0283.357] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.357] GetSystemDefaultLangID () returned 0xa20409 [0283.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.357] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.397] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.398] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.398] GetProcessHeap () returned 0xa10000 [0283.398] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.398] CloseHandle (hObject=0x270) returned 1 [0283.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21408 | out: hHeap=0x28d0000) returned 1 [0283.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0283.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.399] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.004.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.004.etl.nefilim")) returned 1 [0283.400] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.400] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.400] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xb4b94410, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0xb50917ed, ftLastWriteTime.dwHighDateTime=0x1d336d7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.005.etl", cAlternateFileName="NO74F7~1.ETL")) returned 1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2=".") returned 1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="..") returned 1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="...") returned 1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="windows") returned -1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="rsa") returned -1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="NTDETECT.COM") returned -1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="ntldr") returned -1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="MSDOS.SYS") returned 1 [0283.400] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="IO.SYS") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="boot.ini") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="ntuser.dat") returned -1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="desktop.ini") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="CONFIG.SYS") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="RECYCLER") returned -1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="bootmgr") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="programdata") returned -1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="appdata") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="program files") returned -1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="program files (x86)") returned -1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="microsoft") returned 1 [0283.401] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="sophos") returned -1 [0283.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.401] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.401] PathFindExtensionW (pszPath="NotificationUxBroker.005.etl") returned=".etl" [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.401] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.402] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.402] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.402] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.402] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.402] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.402] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.406] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.406] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0283.406] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.406] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0283.406] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.406] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.406] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0283.406] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.406] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.407] GetTickCount () returned 0x1186f81 [0283.407] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.407] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.407] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.407] SetLastError (dwErrCode=0x0) [0283.407] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.409] GetLastError () returned 0x0 [0283.409] GetLastError () returned 0x0 [0283.409] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.409] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.409] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.409] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf3f1806, dwHighDateTime=0x1d5fd73)) [0283.409] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.409] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.409] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.409] GetProcessHeap () returned 0xa10000 [0283.409] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.410] GetSystemDefaultLangID () returned 0xa20409 [0283.410] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.410] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.439] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.439] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.439] GetProcessHeap () returned 0xa10000 [0283.440] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.440] CloseHandle (hObject=0x270) returned 1 [0283.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0283.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0283.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0283.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.442] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.005.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.005.etl.nefilim")) returned 1 [0283.443] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.443] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.443] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x86d6bb14, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0x8728eea2, ftLastWriteTime.dwHighDateTime=0x1d336d7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.006.etl", cAlternateFileName="NOC92C~1.ETL")) returned 1 [0283.443] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2=".") returned 1 [0283.443] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="..") returned 1 [0283.443] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="...") returned 1 [0283.443] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="windows") returned -1 [0283.443] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.443] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="rsa") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="NTDETECT.COM") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="ntldr") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="MSDOS.SYS") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="IO.SYS") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="boot.ini") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="ntuser.dat") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="desktop.ini") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="CONFIG.SYS") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="RECYCLER") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="bootmgr") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="programdata") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="appdata") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="program files") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="program files (x86)") returned -1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="microsoft") returned 1 [0283.444] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="sophos") returned -1 [0283.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.444] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.444] PathFindExtensionW (pszPath="NotificationUxBroker.006.etl") returned=".etl" [0283.444] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.444] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.444] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.444] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.444] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.444] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.445] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.445] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.445] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.445] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.445] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.445] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.446] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.446] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0283.446] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.448] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.449] GetTickCount () returned 0x1186faf [0283.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.449] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.449] SetLastError (dwErrCode=0x0) [0283.449] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.451] GetLastError () returned 0x0 [0283.451] GetLastError () returned 0x0 [0283.451] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.451] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.451] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.451] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf43dc5b, dwHighDateTime=0x1d5fd73)) [0283.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.451] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.451] GetProcessHeap () returned 0xa10000 [0283.451] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.451] GetSystemDefaultLangID () returned 0xa20409 [0283.451] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.452] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.453] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.453] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.453] GetProcessHeap () returned 0xa10000 [0283.453] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.453] CloseHandle (hObject=0x270) returned 1 [0283.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0283.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.455] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.455] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.006.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.006.etl.nefilim")) returned 1 [0283.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.456] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe7f77c60, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xebc8ba4e, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.007.etl", cAlternateFileName="NOAEB3~1.ETL")) returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2=".") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="..") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="...") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="windows") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="rsa") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="NTDETECT.COM") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="ntldr") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="MSDOS.SYS") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="IO.SYS") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="boot.ini") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="ntuser.dat") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="desktop.ini") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="CONFIG.SYS") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="RECYCLER") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="bootmgr") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="programdata") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="appdata") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="program files") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="program files (x86)") returned -1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="microsoft") returned 1 [0283.457] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="sophos") returned -1 [0283.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.457] PathFindExtensionW (pszPath="NotificationUxBroker.007.etl") returned=".etl" [0283.457] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.457] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.457] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.457] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.458] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.458] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.458] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.458] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.460] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.460] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.460] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0283.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0283.460] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.461] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.461] GetTickCount () returned 0x1186fbf [0283.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.461] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.461] SetLastError (dwErrCode=0x0) [0283.461] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.462] GetLastError () returned 0x0 [0283.462] GetLastError () returned 0x0 [0283.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.463] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.463] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf463f32, dwHighDateTime=0x1d5fd73)) [0283.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.463] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.463] GetProcessHeap () returned 0xa10000 [0283.463] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.463] GetSystemDefaultLangID () returned 0xa20409 [0283.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.463] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.612] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.612] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.613] GetProcessHeap () returned 0xa10000 [0283.613] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.613] CloseHandle (hObject=0x270) returned 1 [0283.614] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0283.614] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0283.614] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.614] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.614] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.007.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.007.etl.nefilim")) returned 1 [0283.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.616] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe1017621, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe10d621a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.008.etl", cAlternateFileName="NO6494~1.ETL")) returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2=".") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="..") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="...") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="windows") returned -1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="rsa") returned -1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="NTDETECT.COM") returned -1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="ntldr") returned -1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="MSDOS.SYS") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="IO.SYS") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="boot.ini") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="ntuser.dat") returned -1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="desktop.ini") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="CONFIG.SYS") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="RECYCLER") returned -1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.616] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="bootmgr") returned 1 [0283.617] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="programdata") returned -1 [0283.617] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="appdata") returned 1 [0283.617] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="program files") returned -1 [0283.617] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="program files (x86)") returned -1 [0283.617] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="microsoft") returned 1 [0283.617] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="sophos") returned -1 [0283.617] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.617] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.617] PathFindExtensionW (pszPath="NotificationUxBroker.008.etl") returned=".etl" [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.617] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.618] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.618] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.618] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.618] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.618] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0283.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.618] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0283.618] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0283.619] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.619] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.620] GetTickCount () returned 0x118705b [0283.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.621] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.621] SetLastError (dwErrCode=0x0) [0283.621] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.622] GetLastError () returned 0x0 [0283.622] GetLastError () returned 0x0 [0283.622] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.622] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.622] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.622] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf5e1721, dwHighDateTime=0x1d5fd73)) [0283.622] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.622] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.622] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.622] GetProcessHeap () returned 0xa10000 [0283.622] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.623] GetSystemDefaultLangID () returned 0xa20409 [0283.623] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.623] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.625] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.625] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.625] GetProcessHeap () returned 0xa10000 [0283.625] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.625] CloseHandle (hObject=0x270) returned 1 [0283.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0283.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0283.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.627] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.628] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.008.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.008.etl.nefilim")) returned 1 [0283.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.628] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2fb7ebe4, ftLastAccessTime.dwHighDateTime=0x1d327d1, ftLastWriteTime.dwLowDateTime=0x2fc89ca0, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.009.etl", cAlternateFileName="NO492C~1.ETL")) returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2=".") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="..") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="...") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="windows") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="rsa") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="NTDETECT.COM") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="ntldr") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="MSDOS.SYS") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="IO.SYS") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="boot.ini") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="ntuser.dat") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="desktop.ini") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="CONFIG.SYS") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="RECYCLER") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="bootmgr") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="programdata") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="appdata") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="program files") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="program files (x86)") returned -1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="microsoft") returned 1 [0283.629] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="sophos") returned -1 [0283.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.629] PathFindExtensionW (pszPath="NotificationUxBroker.009.etl") returned=".etl" [0283.629] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.629] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.629] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.629] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.629] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.629] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.630] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.630] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.630] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.630] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.630] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.630] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0283.630] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.630] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0283.630] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.631] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.632] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.634] GetTickCount () returned 0x118706b [0283.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.634] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.634] SetLastError (dwErrCode=0x0) [0283.634] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.635] GetLastError () returned 0x0 [0283.635] GetLastError () returned 0x0 [0283.636] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.636] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.636] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.636] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf6079b8, dwHighDateTime=0x1d5fd73)) [0283.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.636] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.636] GetProcessHeap () returned 0xa10000 [0283.636] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.636] GetSystemDefaultLangID () returned 0xa20409 [0283.636] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.636] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.641] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.641] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.641] GetProcessHeap () returned 0xa10000 [0283.641] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.641] CloseHandle (hObject=0x270) returned 1 [0283.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de060 | out: hHeap=0x28d0000) returned 1 [0283.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.642] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.642] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.009.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.009.etl.nefilim")) returned 1 [0283.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.644] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xd855139b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xd87b395e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.010.etl", cAlternateFileName="NO0EF1~1.ETL")) returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2=".") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="..") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="...") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="windows") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="rsa") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="NTDETECT.COM") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="ntldr") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="MSDOS.SYS") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="IO.SYS") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="boot.ini") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="ntuser.dat") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="desktop.ini") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="CONFIG.SYS") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="RECYCLER") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="bootmgr") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="programdata") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="appdata") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="program files") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="program files (x86)") returned -1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="microsoft") returned 1 [0283.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="sophos") returned -1 [0283.644] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.644] PathFindExtensionW (pszPath="NotificationUxBroker.010.etl") returned=".etl" [0283.644] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.645] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.645] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.645] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.645] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0283.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.646] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0283.646] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0283.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.646] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.646] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.646] GetTickCount () returned 0x118707b [0283.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.646] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.646] SetLastError (dwErrCode=0x0) [0283.646] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.647] GetLastError () returned 0x0 [0283.647] GetLastError () returned 0x0 [0283.648] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.648] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.648] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.648] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf62dbe7, dwHighDateTime=0x1d5fd73)) [0283.648] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.648] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.648] GetProcessHeap () returned 0xa10000 [0283.648] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.648] GetSystemDefaultLangID () returned 0xa20409 [0283.648] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.648] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.672] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.672] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.673] GetProcessHeap () returned 0xa10000 [0283.673] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.673] CloseHandle (hObject=0x270) returned 1 [0283.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0283.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0283.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0283.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.676] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.010.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.010.etl.nefilim")) returned 1 [0283.677] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.677] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.677] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x1ff683d6, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x20000d39, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.011.etl", cAlternateFileName="NOC3D2~1.ETL")) returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2=".") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="..") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="...") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="windows") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="rsa") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="NTDETECT.COM") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="ntldr") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="MSDOS.SYS") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="IO.SYS") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="boot.ini") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="ntuser.dat") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="desktop.ini") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="CONFIG.SYS") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="RECYCLER") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="bootmgr") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="programdata") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="appdata") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="program files") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="program files (x86)") returned -1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="microsoft") returned 1 [0283.677] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="sophos") returned -1 [0283.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.678] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.678] PathFindExtensionW (pszPath="NotificationUxBroker.011.etl") returned=".etl" [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.678] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.678] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.678] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.679] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.679] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0283.679] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.679] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0283.679] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.679] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.680] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.680] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.681] GetTickCount () returned 0x118709a [0283.681] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.681] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.681] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.681] SetLastError (dwErrCode=0x0) [0283.681] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.683] GetLastError () returned 0x0 [0283.683] GetLastError () returned 0x0 [0283.683] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.683] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.683] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.683] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf67bb78, dwHighDateTime=0x1d5fd73)) [0283.683] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.683] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.683] GetProcessHeap () returned 0xa10000 [0283.683] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.684] GetSystemDefaultLangID () returned 0xa20409 [0283.684] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.684] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.707] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.707] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.707] GetProcessHeap () returned 0xa10000 [0283.707] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.707] CloseHandle (hObject=0x270) returned 1 [0283.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0283.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0283.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.709] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.011.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.011.etl.nefilim")) returned 1 [0283.710] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.710] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.710] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x46e2de3d, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x46eecb64, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.012.etl", cAlternateFileName="NOA86A~1.ETL")) returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2=".") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="..") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="...") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="windows") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="rsa") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="NTDETECT.COM") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="ntldr") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="MSDOS.SYS") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="IO.SYS") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="boot.ini") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="ntuser.dat") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="desktop.ini") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="CONFIG.SYS") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="RECYCLER") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="bootmgr") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="programdata") returned -1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="appdata") returned 1 [0283.710] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="program files") returned -1 [0283.711] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="program files (x86)") returned -1 [0283.711] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="microsoft") returned 1 [0283.711] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="sophos") returned -1 [0283.711] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.711] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.711] PathFindExtensionW (pszPath="NotificationUxBroker.012.etl") returned=".etl" [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.711] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.711] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.711] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.711] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.012.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.712] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0283.712] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.712] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0283.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.713] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.714] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.715] GetTickCount () returned 0x11870b9 [0283.715] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.715] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.715] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.715] SetLastError (dwErrCode=0x0) [0283.715] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.716] GetLastError () returned 0x0 [0283.716] GetLastError () returned 0x0 [0283.716] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.717] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.717] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.717] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf6c656e, dwHighDateTime=0x1d5fd73)) [0283.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.717] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.717] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.717] GetProcessHeap () returned 0xa10000 [0283.717] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.717] GetSystemDefaultLangID () returned 0xa20409 [0283.717] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.717] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.750] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.750] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.751] GetProcessHeap () returned 0xa10000 [0283.751] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.751] CloseHandle (hObject=0x270) returned 1 [0283.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0283.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0283.754] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.754] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.012.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.012.etl.nefilim")) returned 1 [0283.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.755] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x235d058f, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x23917bad, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.013.etl", cAlternateFileName="NO3128~1.ETL")) returned 1 [0283.755] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2=".") returned 1 [0283.755] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="..") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="...") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="windows") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="rsa") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="NTDETECT.COM") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="ntldr") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="MSDOS.SYS") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="IO.SYS") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="boot.ini") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="ntuser.dat") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="desktop.ini") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="CONFIG.SYS") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="RECYCLER") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="bootmgr") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="programdata") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="appdata") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="program files") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="program files (x86)") returned -1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="microsoft") returned 1 [0283.756] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="sophos") returned -1 [0283.756] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.756] PathFindExtensionW (pszPath="NotificationUxBroker.013.etl") returned=".etl" [0283.756] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.756] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.756] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.756] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.756] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.757] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.757] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.757] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.013.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.757] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0283.757] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.757] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0283.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0283.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0283.758] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.758] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.758] GetTickCount () returned 0x11870e8 [0283.758] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.758] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.758] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.758] SetLastError (dwErrCode=0x0) [0283.758] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.760] GetLastError () returned 0x0 [0283.760] GetLastError () returned 0x0 [0283.760] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.760] WriteFile (in: hFile=0x270, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.760] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.760] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf73c115, dwHighDateTime=0x1d5fd73)) [0283.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.760] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.760] GetProcessHeap () returned 0xa10000 [0283.760] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.760] GetSystemDefaultLangID () returned 0xa20409 [0283.760] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.760] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.771] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.771] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.772] GetProcessHeap () returned 0xa10000 [0283.772] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.772] CloseHandle (hObject=0x270) returned 1 [0283.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0283.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0283.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0283.779] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.780] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.013.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.013.etl.nefilim")) returned 1 [0283.781] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.781] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.781] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x8f69453d, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0x8f779518, ftLastWriteTime.dwHighDateTime=0x1d327b9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.014.etl", cAlternateFileName="NO43D2~1.ETL")) returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2=".") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="..") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="...") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="windows") returned -1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="rsa") returned -1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="NTDETECT.COM") returned -1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="ntldr") returned -1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="MSDOS.SYS") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="IO.SYS") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="boot.ini") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="ntuser.dat") returned -1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="desktop.ini") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="CONFIG.SYS") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="RECYCLER") returned -1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="bootmgr") returned 1 [0283.781] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="programdata") returned -1 [0283.782] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="appdata") returned 1 [0283.782] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="program files") returned -1 [0283.782] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="program files (x86)") returned -1 [0283.782] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="microsoft") returned 1 [0283.782] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="sophos") returned -1 [0283.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.782] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.782] PathFindExtensionW (pszPath="NotificationUxBroker.014.etl") returned=".etl" [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.782] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.782] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.783] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.014.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.787] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.787] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.787] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.787] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.787] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.787] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.787] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.787] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.787] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.789] GetTickCount () returned 0x1187107 [0283.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.789] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.789] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.789] SetLastError (dwErrCode=0x0) [0283.789] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.795] GetLastError () returned 0x0 [0283.795] GetLastError () returned 0x0 [0283.795] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.795] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.796] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.796] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf78501a, dwHighDateTime=0x1d5fd73)) [0283.796] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.796] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.796] GetProcessHeap () returned 0xa10000 [0283.796] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.797] GetSystemDefaultLangID () returned 0xa20409 [0283.797] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.797] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.925] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.925] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.926] GetProcessHeap () returned 0xa10000 [0283.926] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.926] CloseHandle (hObject=0x270) returned 1 [0283.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0283.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.927] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.927] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.014.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.014.etl.nefilim")) returned 1 [0283.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.928] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7fb3688d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7fc1b6b8, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.015.etl", cAlternateFileName="NOTIFI~4.ETL")) returned 1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2=".") returned 1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="..") returned 1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="...") returned 1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="windows") returned -1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="rsa") returned -1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="NTDETECT.COM") returned -1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="ntldr") returned -1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="MSDOS.SYS") returned 1 [0283.928] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="IO.SYS") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="boot.ini") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="ntuser.dat") returned -1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="desktop.ini") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="CONFIG.SYS") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="RECYCLER") returned -1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="bootmgr") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="programdata") returned -1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="appdata") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="program files") returned -1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="program files (x86)") returned -1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="microsoft") returned 1 [0283.929] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="sophos") returned -1 [0283.929] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.929] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.929] PathFindExtensionW (pszPath="NotificationUxBroker.015.etl") returned=".etl" [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.929] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.930] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.930] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.930] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.015.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.931] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0283.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.931] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0283.931] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0283.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0283.931] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.932] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.934] GetTickCount () returned 0x1187194 [0283.934] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.934] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.934] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.934] SetLastError (dwErrCode=0x0) [0283.934] WriteFile (in: hFile=0x270, lpBuffer=0x2d20bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20bc8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.935] GetLastError () returned 0x0 [0283.935] GetLastError () returned 0x0 [0283.935] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.935] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.935] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.935] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf8dc64e, dwHighDateTime=0x1d5fd73)) [0283.935] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.935] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.935] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.935] GetProcessHeap () returned 0xa10000 [0283.935] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.935] GetSystemDefaultLangID () returned 0xa20409 [0283.935] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.935] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.936] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.936] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.937] GetProcessHeap () returned 0xa10000 [0283.937] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.937] CloseHandle (hObject=0x270) returned 1 [0283.938] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20bc8 | out: hHeap=0x28d0000) returned 1 [0283.938] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0283.938] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0283.938] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.938] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.938] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.015.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.015.etl.nefilim")) returned 1 [0283.939] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.939] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.939] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xcb502d29, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xcb5c1a4e, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.016.etl", cAlternateFileName="NOTIFI~3.ETL")) returned 1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2=".") returned 1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="..") returned 1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="...") returned 1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="windows") returned -1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="rsa") returned -1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="NTDETECT.COM") returned -1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="ntldr") returned -1 [0283.939] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="MSDOS.SYS") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="IO.SYS") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="boot.ini") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="ntuser.dat") returned -1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="desktop.ini") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="CONFIG.SYS") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="RECYCLER") returned -1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="bootmgr") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="programdata") returned -1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="appdata") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="program files") returned -1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="program files (x86)") returned -1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="microsoft") returned 1 [0283.940] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="sophos") returned -1 [0283.940] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.940] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.940] PathFindExtensionW (pszPath="NotificationUxBroker.016.etl") returned=".etl" [0283.940] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.940] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.940] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.940] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.940] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.941] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.941] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.941] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.941] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.016.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.942] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0283.942] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.942] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0283.942] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.942] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0283.942] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0283.942] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0283.942] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.942] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.944] GetTickCount () returned 0x11871a3 [0283.944] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.944] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.944] SetLastError (dwErrCode=0x0) [0283.944] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.945] GetLastError () returned 0x0 [0283.945] GetLastError () returned 0x0 [0283.945] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.945] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.945] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.945] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf902917, dwHighDateTime=0x1d5fd73)) [0283.945] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.945] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.945] GetProcessHeap () returned 0xa10000 [0283.945] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0283.945] GetSystemDefaultLangID () returned 0xa20409 [0283.945] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.945] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0283.988] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.988] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0283.989] GetProcessHeap () returned 0xa10000 [0283.989] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0283.989] CloseHandle (hObject=0x270) returned 1 [0283.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0283.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0283.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0283.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0283.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0283.990] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.016.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.016.etl.nefilim")) returned 1 [0283.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0283.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0283.991] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7b53cfc, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x8be7d51, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.017.etl", cAlternateFileName="NOTIFI~1.ETL")) returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2=".") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="..") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="...") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="windows") returned -1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="$RECYCLE.BIN") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="rsa") returned -1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="NTDETECT.COM") returned -1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="ntldr") returned -1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="MSDOS.SYS") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="IO.SYS") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="boot.ini") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="AUTOEXEC.BAT") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="ntuser.dat") returned -1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="desktop.ini") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="CONFIG.SYS") returned 1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="RECYCLER") returned -1 [0283.991] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="BOOTSECT.BAK") returned 1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="bootmgr") returned 1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="programdata") returned -1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="appdata") returned 1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="program files") returned -1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="program files (x86)") returned -1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="microsoft") returned 1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="sophos") returned -1 [0283.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0283.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0283.992] PathFindExtensionW (pszPath="NotificationUxBroker.017.etl") returned=".etl" [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0283.992] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0283.992] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0283.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0283.992] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.017.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0283.993] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0283.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0283.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0283.994] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0283.994] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0283.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0283.994] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0283.994] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0283.994] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0283.995] GetTickCount () returned 0x11871d2 [0283.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0283.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.995] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.995] SetLastError (dwErrCode=0x0) [0283.995] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.997] GetLastError () returned 0x0 [0283.997] GetLastError () returned 0x0 [0283.997] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.997] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0283.997] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.997] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf974fe1, dwHighDateTime=0x1d5fd73)) [0283.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0283.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0283.997] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0283.997] GetProcessHeap () returned 0xa10000 [0283.997] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0283.998] GetSystemDefaultLangID () returned 0xa20409 [0283.998] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0283.999] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.035] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.035] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.035] GetProcessHeap () returned 0xa10000 [0284.035] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.035] CloseHandle (hObject=0x270) returned 1 [0284.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0284.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfd0 | out: hHeap=0x28d0000) returned 1 [0284.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de428 [0284.037] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.017.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.017.etl.nefilim")) returned 1 [0284.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0284.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0284.038] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc3cd5f58, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xc3cd5f58, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2=".") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="..") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="...") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="windows") returned -1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="rsa") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="NTDETECT.COM") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="ntldr") returned 1 [0284.038] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="MSDOS.SYS") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="IO.SYS") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="boot.ini") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="ntuser.dat") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="desktop.ini") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="CONFIG.SYS") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="RECYCLER") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="bootmgr") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="programdata") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="appdata") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="program files") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="program files (x86)") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="microsoft") returned 1 [0284.039] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="sophos") returned 1 [0284.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3a0 [0284.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.039] PathFindExtensionW (pszPath="UpdateSessionOrchestration.001.etl") returned=".etl" [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.039] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.040] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.040] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.040] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.040] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de438 [0284.040] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.040] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=440599260887424) returned 0 [0284.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfd0 [0284.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de060 [0284.040] SystemFunction036 (in: RandomBuffer=0x28ddfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfd0) returned 1 [0284.040] SystemFunction036 (in: RandomBuffer=0x28de060, RandomBufferLength=0x10 | out: RandomBuffer=0x28de060) returned 1 [0284.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21408 [0284.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20bc8 [0284.040] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21408*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21408*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.042] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20bc8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.043] GetTickCount () returned 0x1187201 [0284.043] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.043] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0284.043] SetLastError (dwErrCode=0x0) [0284.043] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d21408, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0) returned 0 [0284.043] GetLastError () returned 0x6 [0284.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de438 | out: hHeap=0x28d0000) returned 1 [0284.043] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x5a664fc3, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xbbca9164, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2=".") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="..") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="...") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="windows") returned -1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="rsa") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="NTDETECT.COM") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="ntldr") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="MSDOS.SYS") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="IO.SYS") returned 1 [0284.043] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="boot.ini") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="ntuser.dat") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="desktop.ini") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="CONFIG.SYS") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="RECYCLER") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="bootmgr") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="programdata") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="appdata") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="program files") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="program files (x86)") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="microsoft") returned 1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="sophos") returned 1 [0284.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de438 [0284.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0284.044] PathFindExtensionW (pszPath="UpdateSessionOrchestration.002.etl") returned=".etl" [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.044] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.044] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.045] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.045] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.045] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.045] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.045] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.046] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.046] GetTickCount () returned 0x1187201 [0284.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.046] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.046] SetLastError (dwErrCode=0x0) [0284.046] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.048] GetLastError () returned 0x0 [0284.048] GetLastError () returned 0x0 [0284.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.048] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.048] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcf9e7685, dwHighDateTime=0x1d5fd73)) [0284.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.048] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.048] GetProcessHeap () returned 0xa10000 [0284.048] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.048] GetSystemDefaultLangID () returned 0xa20409 [0284.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.048] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.049] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.049] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.050] GetProcessHeap () returned 0xa10000 [0284.050] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.050] CloseHandle (hObject=0x270) returned 1 [0284.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.051] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de4d0 [0284.051] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl.nefilim")) returned 1 [0284.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de4d0 | out: hHeap=0x28d0000) returned 1 [0284.052] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.052] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcfcbff7d, ftLastAccessTime.dwHighDateTime=0x1d5e7c2, ftLastWriteTime.dwLowDateTime=0xcfcbff7d, ftLastWriteTime.dwHighDateTime=0x1d5e7c2, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1 [0284.052] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2=".") returned 1 [0284.052] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="..") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="...") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="windows") returned -1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="rsa") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="NTDETECT.COM") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="ntldr") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="MSDOS.SYS") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="IO.SYS") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="boot.ini") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="ntuser.dat") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="desktop.ini") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="CONFIG.SYS") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="RECYCLER") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="bootmgr") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="programdata") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="appdata") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="program files") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="program files (x86)") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="microsoft") returned 1 [0284.053] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="sophos") returned 1 [0284.053] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.053] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de438 | out: hHeap=0x28d0000) returned 1 [0284.053] PathFindExtensionW (pszPath="UpdateSessionOrchestration.003.etl") returned=".etl" [0284.053] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.053] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.054] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.054] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.054] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.054] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.054] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0284.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.055] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0284.055] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0284.055] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.055] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.057] GetTickCount () returned 0x1187211 [0284.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.057] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.057] SetLastError (dwErrCode=0x0) [0284.057] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.058] GetLastError () returned 0x0 [0284.058] GetLastError () returned 0x0 [0284.058] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.058] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.059] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.059] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfa0d887, dwHighDateTime=0x1d5fd73)) [0284.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.059] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.059] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.059] GetProcessHeap () returned 0xa10000 [0284.059] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.060] GetSystemDefaultLangID () returned 0xa20409 [0284.060] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.060] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.123] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.123] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.123] GetProcessHeap () returned 0xa10000 [0284.123] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.123] CloseHandle (hObject=0x270) returned 1 [0284.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0284.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0284.130] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.131] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl.nefilim")) returned 1 [0284.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.131] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x917b63d4, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0xb8b481f0, ftLastWriteTime.dwHighDateTime=0x1d5d815, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1 [0284.131] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2=".") returned 1 [0284.131] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="..") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="...") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="windows") returned -1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="rsa") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="NTDETECT.COM") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="ntldr") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="MSDOS.SYS") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="IO.SYS") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="boot.ini") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="ntuser.dat") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="desktop.ini") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="CONFIG.SYS") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="RECYCLER") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="bootmgr") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="programdata") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="appdata") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="program files") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="program files (x86)") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="microsoft") returned 1 [0284.132] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="sophos") returned 1 [0284.132] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.132] PathFindExtensionW (pszPath="UpdateSessionOrchestration.004.etl") returned=".etl" [0284.132] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.132] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.132] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.132] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.132] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.133] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.133] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.133] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.133] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.133] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.133] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.133] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.135] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.136] GetTickCount () returned 0x118725f [0284.136] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.136] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.136] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.136] SetLastError (dwErrCode=0x0) [0284.136] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.137] GetLastError () returned 0x0 [0284.137] GetLastError () returned 0x0 [0284.137] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.137] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.137] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.137] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfad2308, dwHighDateTime=0x1d5fd73)) [0284.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.138] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.138] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.138] GetProcessHeap () returned 0xa10000 [0284.138] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.138] GetSystemDefaultLangID () returned 0xa20409 [0284.138] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.138] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.139] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.140] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.140] GetProcessHeap () returned 0xa10000 [0284.140] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.140] CloseHandle (hObject=0x270) returned 1 [0284.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.147] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.147] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl.nefilim")) returned 1 [0284.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.153] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x150f0f86, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x39296693, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2=".") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="..") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="...") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="windows") returned -1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="rsa") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="NTDETECT.COM") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="ntldr") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="MSDOS.SYS") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="IO.SYS") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="boot.ini") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="ntuser.dat") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="desktop.ini") returned 1 [0284.153] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="CONFIG.SYS") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="RECYCLER") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="bootmgr") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="programdata") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="appdata") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="program files") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="program files (x86)") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="microsoft") returned 1 [0284.154] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="sophos") returned 1 [0284.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.154] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.154] PathFindExtensionW (pszPath="UpdateSessionOrchestration.005.etl") returned=".etl" [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.154] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.155] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.155] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.155] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.155] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.155] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.155] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.155] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.155] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.155] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.155] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.155] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0284.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.156] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.156] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.157] GetTickCount () returned 0x118726f [0284.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.157] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.157] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.157] SetLastError (dwErrCode=0x0) [0284.157] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.158] GetLastError () returned 0x0 [0284.158] GetLastError () returned 0x0 [0284.158] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.158] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.158] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.159] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfafbbfb, dwHighDateTime=0x1d5fd73)) [0284.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.183] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.183] GetProcessHeap () returned 0xa10000 [0284.183] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.183] GetSystemDefaultLangID () returned 0xa20409 [0284.183] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.183] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.184] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.184] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.185] GetProcessHeap () returned 0xa10000 [0284.185] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.185] CloseHandle (hObject=0x270) returned 1 [0284.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0284.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.186] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.186] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl.nefilim")) returned 1 [0284.187] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.187] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.187] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1f83bc0, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0x32ea756e, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2=".") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="..") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="...") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="windows") returned -1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="rsa") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="NTDETECT.COM") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="ntldr") returned 1 [0284.187] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="MSDOS.SYS") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="IO.SYS") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="boot.ini") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="ntuser.dat") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="desktop.ini") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="CONFIG.SYS") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="RECYCLER") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="bootmgr") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="programdata") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="appdata") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="program files") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="program files (x86)") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="microsoft") returned 1 [0284.188] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="sophos") returned 1 [0284.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.188] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.188] PathFindExtensionW (pszPath="UpdateSessionOrchestration.006.etl") returned=".etl" [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.188] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.189] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.189] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.189] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.189] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.189] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.190] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.190] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.285] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.287] GetTickCount () returned 0x11872fb [0284.287] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.287] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.287] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.287] SetLastError (dwErrCode=0x0) [0284.287] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.288] GetLastError () returned 0x0 [0284.288] GetLastError () returned 0x0 [0284.289] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.289] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.289] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.289] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfc49ccc, dwHighDateTime=0x1d5fd73)) [0284.289] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.289] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.289] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.289] GetProcessHeap () returned 0xa10000 [0284.289] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.291] GetSystemDefaultLangID () returned 0xa20409 [0284.291] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.291] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.298] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.298] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.299] GetProcessHeap () returned 0xa10000 [0284.299] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.299] CloseHandle (hObject=0x270) returned 1 [0284.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.305] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.305] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl.nefilim")) returned 1 [0284.306] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.307] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.307] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfdc37a18, ftLastAccessTime.dwHighDateTime=0x1d5d80e, ftLastWriteTime.dwLowDateTime=0x290206fd, ftLastWriteTime.dwHighDateTime=0x1d5d80f, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UP52FC~1.ETL")) returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2=".") returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="..") returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="...") returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="windows") returned -1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="rsa") returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="NTDETECT.COM") returned 1 [0284.307] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="ntldr") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="MSDOS.SYS") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="IO.SYS") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="boot.ini") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="ntuser.dat") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="desktop.ini") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="CONFIG.SYS") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="RECYCLER") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="bootmgr") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="programdata") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="appdata") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="program files") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="program files (x86)") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="microsoft") returned 1 [0284.308] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="sophos") returned 1 [0284.308] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.308] PathFindExtensionW (pszPath="UpdateSessionOrchestration.007.etl") returned=".etl" [0284.308] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.309] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.309] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.310] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.310] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.310] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.310] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.310] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.312] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.314] GetTickCount () returned 0x118730b [0284.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.314] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.314] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.314] SetLastError (dwErrCode=0x0) [0284.315] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.316] GetLastError () returned 0x0 [0284.316] GetLastError () returned 0x0 [0284.316] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.316] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.317] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.317] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfc96212, dwHighDateTime=0x1d5fd73)) [0284.317] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.317] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.317] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.317] GetProcessHeap () returned 0xa10000 [0284.317] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.317] GetSystemDefaultLangID () returned 0xa20409 [0284.317] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.317] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.333] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.335] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.337] GetProcessHeap () returned 0xa10000 [0284.337] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.338] CloseHandle (hObject=0x270) returned 1 [0284.344] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.344] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.345] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl.nefilim")) returned 1 [0284.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.351] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8a5979b2, ftLastAccessTime.dwHighDateTime=0x1d5d80d, ftLastWriteTime.dwLowDateTime=0x8a5979b2, ftLastWriteTime.dwHighDateTime=0x1d5d80d, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPA721~1.ETL")) returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2=".") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="..") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="...") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="windows") returned -1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="rsa") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="NTDETECT.COM") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="ntldr") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="MSDOS.SYS") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="IO.SYS") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="boot.ini") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.351] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="ntuser.dat") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="desktop.ini") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="CONFIG.SYS") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="RECYCLER") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="bootmgr") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="programdata") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="appdata") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="program files") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="program files (x86)") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="microsoft") returned 1 [0284.352] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="sophos") returned 1 [0284.352] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.352] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.352] PathFindExtensionW (pszPath="UpdateSessionOrchestration.008.etl") returned=".etl" [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.352] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.353] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.353] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.353] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.353] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.353] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.353] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.353] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=4096) returned 1 [0284.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.353] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.353] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.353] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0284.353] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.354] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.354] GetTickCount () returned 0x118733a [0284.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.354] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.354] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.354] SetLastError (dwErrCode=0x0) [0284.354] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.356] GetLastError () returned 0x0 [0284.356] GetLastError () returned 0x0 [0284.356] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.356] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.356] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.356] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfce23bd, dwHighDateTime=0x1d5fd73)) [0284.356] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.356] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.356] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.356] GetProcessHeap () returned 0xa10000 [0284.356] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1000) returned 0xa3f6a8 [0284.356] GetSystemDefaultLangID () returned 0xa20409 [0284.356] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.356] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x1000, lpOverlapped=0x0) returned 1 [0284.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.357] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x1000, lpOverlapped=0x0) returned 1 [0284.357] GetProcessHeap () returned 0xa10000 [0284.357] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.358] CloseHandle (hObject=0x270) returned 1 [0284.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0284.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.359] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.359] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl.nefilim")) returned 1 [0284.360] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.360] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.361] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcbc9fc38, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xefa43826, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPFC55~1.ETL")) returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2=".") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="..") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="...") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="windows") returned -1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="rsa") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="NTDETECT.COM") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="ntldr") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="MSDOS.SYS") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="IO.SYS") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="boot.ini") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="ntuser.dat") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="desktop.ini") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="CONFIG.SYS") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="RECYCLER") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="bootmgr") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="programdata") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="appdata") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="program files") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="program files (x86)") returned 1 [0284.361] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="microsoft") returned 1 [0284.362] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="sophos") returned 1 [0284.362] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.362] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.362] PathFindExtensionW (pszPath="UpdateSessionOrchestration.009.etl") returned=".etl" [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.362] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.363] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.363] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.363] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.363] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.363] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.363] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.363] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.363] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0284.363] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.363] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0284.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0284.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0284.363] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.364] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.365] GetTickCount () returned 0x1187349 [0284.365] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.365] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.365] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.366] SetLastError (dwErrCode=0x0) [0284.366] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.367] GetLastError () returned 0x0 [0284.367] GetLastError () returned 0x0 [0284.367] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.367] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.367] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.367] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfd08869, dwHighDateTime=0x1d5fd73)) [0284.367] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.367] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.367] GetProcessHeap () returned 0xa10000 [0284.367] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.368] GetSystemDefaultLangID () returned 0xa20409 [0284.368] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.369] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.371] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.372] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.372] GetProcessHeap () returned 0xa10000 [0284.372] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.372] CloseHandle (hObject=0x270) returned 1 [0284.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0284.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0284.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0284.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.376] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl.nefilim")) returned 1 [0284.377] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.377] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.377] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf1e2e9c9, ftLastAccessTime.dwHighDateTime=0x1d5d80b, ftLastWriteTime.dwLowDateTime=0x1ca46d4f, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.010.etl", cAlternateFileName="UPB13B~1.ETL")) returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2=".") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="..") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="...") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="windows") returned -1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="rsa") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="NTDETECT.COM") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="ntldr") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="MSDOS.SYS") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="IO.SYS") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="boot.ini") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="ntuser.dat") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="desktop.ini") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="CONFIG.SYS") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="RECYCLER") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="bootmgr") returned 1 [0284.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="programdata") returned 1 [0284.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="appdata") returned 1 [0284.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="program files") returned 1 [0284.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="program files (x86)") returned 1 [0284.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="microsoft") returned 1 [0284.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="sophos") returned 1 [0284.397] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.397] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.397] PathFindExtensionW (pszPath="UpdateSessionOrchestration.010.etl") returned=".etl" [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.397] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.398] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.398] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.398] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.398] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.398] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.398] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.398] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.398] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.398] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0284.399] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.399] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0284.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.399] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.404] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.406] GetTickCount () returned 0x1187369 [0284.406] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.406] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.406] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.406] SetLastError (dwErrCode=0x0) [0284.406] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.407] GetLastError () returned 0x0 [0284.407] GetLastError () returned 0x0 [0284.407] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.407] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.407] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.408] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfd54d09, dwHighDateTime=0x1d5fd73)) [0284.408] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.408] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.408] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.408] GetProcessHeap () returned 0xa10000 [0284.408] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.408] GetSystemDefaultLangID () returned 0xa20409 [0284.408] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.408] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.457] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.457] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.458] GetProcessHeap () returned 0xa10000 [0284.458] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.458] CloseHandle (hObject=0x270) returned 1 [0284.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0284.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.468] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl.nefilim")) returned 1 [0284.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.469] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf7e12839, ftLastAccessTime.dwHighDateTime=0x1d5d805, ftLastWriteTime.dwLowDateTime=0x26688c0b, ftLastWriteTime.dwHighDateTime=0x1d5d806, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.011.etl", cAlternateFileName="UP076F~1.ETL")) returned 1 [0284.469] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2=".") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="..") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="...") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="windows") returned -1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="rsa") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="NTDETECT.COM") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="ntldr") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="MSDOS.SYS") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="IO.SYS") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="boot.ini") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="ntuser.dat") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="desktop.ini") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="CONFIG.SYS") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="RECYCLER") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="bootmgr") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="programdata") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="appdata") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="program files") returned 1 [0284.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="program files (x86)") returned 1 [0284.471] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="microsoft") returned 1 [0284.471] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="sophos") returned 1 [0284.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.471] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.471] PathFindExtensionW (pszPath="UpdateSessionOrchestration.011.etl") returned=".etl" [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.471] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.472] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.472] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.472] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.472] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.472] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0284.472] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.474] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.475] GetTickCount () returned 0x11873b7 [0284.475] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.475] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.475] SetLastError (dwErrCode=0x0) [0284.475] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.479] GetLastError () returned 0x0 [0284.479] GetLastError () returned 0x0 [0284.479] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.479] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.479] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.479] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfe18048, dwHighDateTime=0x1d5fd73)) [0284.479] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.479] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.479] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.481] GetProcessHeap () returned 0xa10000 [0284.481] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.481] GetSystemDefaultLangID () returned 0xa20409 [0284.481] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.482] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.497] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.497] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.498] GetProcessHeap () returned 0xa10000 [0284.498] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.498] CloseHandle (hObject=0x270) returned 1 [0284.504] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.504] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0284.504] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.504] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.504] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl.nefilim")) returned 1 [0284.505] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.505] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.505] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xde371631, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.012.etl", cAlternateFileName="UPEBF6~1.ETL")) returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2=".") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="..") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="...") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="windows") returned -1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="rsa") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="NTDETECT.COM") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="ntldr") returned 1 [0284.505] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="MSDOS.SYS") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="IO.SYS") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="boot.ini") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="ntuser.dat") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="desktop.ini") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="CONFIG.SYS") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="RECYCLER") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="bootmgr") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="programdata") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="appdata") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="program files") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="program files (x86)") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="microsoft") returned 1 [0284.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="sophos") returned 1 [0284.506] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.506] PathFindExtensionW (pszPath="UpdateSessionOrchestration.012.etl") returned=".etl" [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.506] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.507] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.507] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.507] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.507] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.507] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.507] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.507] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.507] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.507] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.508] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.508] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.510] GetTickCount () returned 0x11873d6 [0284.510] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.510] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.510] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.510] SetLastError (dwErrCode=0x0) [0284.510] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.511] GetLastError () returned 0x0 [0284.511] GetLastError () returned 0x0 [0284.511] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.511] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.512] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.512] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfe61a91, dwHighDateTime=0x1d5fd73)) [0284.512] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.512] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.512] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.512] GetProcessHeap () returned 0xa10000 [0284.512] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.513] GetSystemDefaultLangID () returned 0xa20409 [0284.513] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.513] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.519] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.519] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.519] GetProcessHeap () returned 0xa10000 [0284.519] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.519] CloseHandle (hObject=0x270) returned 1 [0284.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.523] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl.nefilim")) returned 1 [0284.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.524] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2a522d7b, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x4e6dab1f, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.013.etl", cAlternateFileName="UP8DEE~1.ETL")) returned 1 [0284.524] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2=".") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="..") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="...") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="windows") returned -1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="rsa") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="NTDETECT.COM") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="ntldr") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="MSDOS.SYS") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="IO.SYS") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="boot.ini") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="ntuser.dat") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="desktop.ini") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="CONFIG.SYS") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="RECYCLER") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="bootmgr") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="programdata") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="appdata") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="program files") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="program files (x86)") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="microsoft") returned 1 [0284.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="sophos") returned 1 [0284.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.525] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.525] PathFindExtensionW (pszPath="UpdateSessionOrchestration.013.etl") returned=".etl" [0284.525] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.526] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.526] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.526] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.527] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.527] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.527] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.527] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.529] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.530] GetTickCount () returned 0x11873e6 [0284.530] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.530] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.531] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.531] SetLastError (dwErrCode=0x0) [0284.531] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.532] GetLastError () returned 0x0 [0284.532] GetLastError () returned 0x0 [0284.532] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.532] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.532] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.532] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfe85e18, dwHighDateTime=0x1d5fd73)) [0284.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.533] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.533] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.533] GetProcessHeap () returned 0xa10000 [0284.533] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.533] GetSystemDefaultLangID () returned 0xa20409 [0284.533] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.533] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.539] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.539] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.539] GetProcessHeap () returned 0xa10000 [0284.539] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.539] CloseHandle (hObject=0x270) returned 1 [0284.553] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.553] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.553] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.553] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.553] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.553] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl.nefilim")) returned 1 [0284.554] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.554] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.554] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2cbb43aa, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x5454d5b0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.014.etl", cAlternateFileName="UP38BA~1.ETL")) returned 1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2=".") returned 1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="..") returned 1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="...") returned 1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="windows") returned -1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="rsa") returned 1 [0284.554] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="NTDETECT.COM") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="ntldr") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="MSDOS.SYS") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="IO.SYS") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="boot.ini") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="ntuser.dat") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="desktop.ini") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="CONFIG.SYS") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="RECYCLER") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="bootmgr") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="programdata") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="appdata") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="program files") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="program files (x86)") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="microsoft") returned 1 [0284.555] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="sophos") returned 1 [0284.555] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.555] PathFindExtensionW (pszPath="UpdateSessionOrchestration.014.etl") returned=".etl" [0284.555] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.555] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.555] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.555] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.556] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.556] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.556] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.556] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.556] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0284.557] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.557] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0284.557] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.557] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.557] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0284.557] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.557] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.558] GetTickCount () returned 0x1187405 [0284.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.558] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.558] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.558] SetLastError (dwErrCode=0x0) [0284.558] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.559] GetLastError () returned 0x0 [0284.559] GetLastError () returned 0x0 [0284.559] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.559] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.560] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.560] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfed8e5b, dwHighDateTime=0x1d5fd73)) [0284.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.560] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.560] GetProcessHeap () returned 0xa10000 [0284.560] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.560] GetSystemDefaultLangID () returned 0xa20409 [0284.560] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.560] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.562] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.562] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.562] GetProcessHeap () returned 0xa10000 [0284.562] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.563] CloseHandle (hObject=0x270) returned 1 [0284.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0284.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0284.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.568] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl.nefilim")) returned 1 [0284.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.569] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x60de6047, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x60de6047, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.015.etl", cAlternateFileName="UPE286~1.ETL")) returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2=".") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="..") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="...") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="windows") returned -1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="rsa") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="NTDETECT.COM") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="ntldr") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="MSDOS.SYS") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="IO.SYS") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="boot.ini") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="ntuser.dat") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="desktop.ini") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="CONFIG.SYS") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="RECYCLER") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="bootmgr") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="programdata") returned 1 [0284.569] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="appdata") returned 1 [0284.570] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="program files") returned 1 [0284.570] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="program files (x86)") returned 1 [0284.570] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="microsoft") returned 1 [0284.570] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="sophos") returned 1 [0284.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.570] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.570] PathFindExtensionW (pszPath="UpdateSessionOrchestration.015.etl") returned=".etl" [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.570] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.570] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.571] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.571] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=4096) returned 1 [0284.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0284.571] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.571] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0284.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0284.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.571] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.572] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.573] GetTickCount () returned 0x1187414 [0284.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.573] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.573] SetLastError (dwErrCode=0x0) [0284.573] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.575] GetLastError () returned 0x0 [0284.575] GetLastError () returned 0x0 [0284.575] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.575] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.575] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.575] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcfefda21, dwHighDateTime=0x1d5fd73)) [0284.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.575] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.575] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.575] GetProcessHeap () returned 0xa10000 [0284.575] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1000) returned 0xa3f6a8 [0284.577] GetSystemDefaultLangID () returned 0xa20409 [0284.577] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.577] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x1000, lpOverlapped=0x0) returned 1 [0284.578] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.578] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x1000, lpOverlapped=0x0) returned 1 [0284.578] GetProcessHeap () returned 0xa10000 [0284.578] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.578] CloseHandle (hObject=0x270) returned 1 [0284.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0284.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0284.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.584] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl.nefilim")) returned 1 [0284.585] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.585] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.585] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa72ae253, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xcb3f3780, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.016.etl", cAlternateFileName="UP9D42~1.ETL")) returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2=".") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="..") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="...") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="windows") returned -1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="rsa") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="NTDETECT.COM") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="ntldr") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="MSDOS.SYS") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="IO.SYS") returned 1 [0284.585] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="boot.ini") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="ntuser.dat") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="desktop.ini") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="CONFIG.SYS") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="RECYCLER") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="bootmgr") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="programdata") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="appdata") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="program files") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="program files (x86)") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="microsoft") returned 1 [0284.586] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="sophos") returned 1 [0284.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.586] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.586] PathFindExtensionW (pszPath="UpdateSessionOrchestration.016.etl") returned=".etl" [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.586] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.587] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.587] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.587] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.587] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0284.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.588] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0284.588] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0284.588] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.590] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.591] GetTickCount () returned 0x1187424 [0284.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.591] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.591] SetLastError (dwErrCode=0x0) [0284.591] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.593] GetLastError () returned 0x0 [0284.593] GetLastError () returned 0x0 [0284.593] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.593] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.593] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.593] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcff24c06, dwHighDateTime=0x1d5fd73)) [0284.593] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.593] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.593] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.593] GetProcessHeap () returned 0xa10000 [0284.593] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.593] GetSystemDefaultLangID () returned 0xa20409 [0284.593] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.594] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.614] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.614] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.614] GetProcessHeap () returned 0xa10000 [0284.614] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.614] CloseHandle (hObject=0x270) returned 1 [0284.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0284.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0284.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.616] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl.nefilim")) returned 1 [0284.617] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.617] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.617] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x5ca8efbc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x8784f695, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.017.etl", cAlternateFileName="UPB8BA~1.ETL")) returned 1 [0284.617] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2=".") returned 1 [0284.617] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="..") returned 1 [0284.617] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="...") returned 1 [0284.617] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="windows") returned -1 [0284.617] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="rsa") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="NTDETECT.COM") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="ntldr") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="MSDOS.SYS") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="IO.SYS") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="boot.ini") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="ntuser.dat") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="desktop.ini") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="CONFIG.SYS") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="RECYCLER") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="bootmgr") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="programdata") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="appdata") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="program files") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="program files (x86)") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="microsoft") returned 1 [0284.618] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="sophos") returned 1 [0284.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.618] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.618] PathFindExtensionW (pszPath="UpdateSessionOrchestration.017.etl") returned=".etl" [0284.618] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.618] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.618] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.619] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.619] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.619] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.619] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.017.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.619] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.619] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.620] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.620] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0284.620] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.620] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.621] GetTickCount () returned 0x1187443 [0284.621] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.621] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.621] SetLastError (dwErrCode=0x0) [0284.621] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.622] GetLastError () returned 0x0 [0284.622] GetLastError () returned 0x0 [0284.622] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.622] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.623] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.623] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcff6adb0, dwHighDateTime=0x1d5fd73)) [0284.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.623] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.623] GetProcessHeap () returned 0xa10000 [0284.623] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.623] GetSystemDefaultLangID () returned 0xa20409 [0284.623] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.623] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.626] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.626] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.626] GetProcessHeap () returned 0xa10000 [0284.626] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.626] CloseHandle (hObject=0x270) returned 1 [0284.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0284.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.628] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.017.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.017.etl.nefilim")) returned 1 [0284.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.630] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.630] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4346f4fe, ftLastAccessTime.dwHighDateTime=0x1d41dc4, ftLastWriteTime.dwLowDateTime=0x4346f4fe, ftLastWriteTime.dwHighDateTime=0x1d41dc4, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.018.etl", cAlternateFileName="UPAC79~1.ETL")) returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2=".") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="..") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="...") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="windows") returned -1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="rsa") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="NTDETECT.COM") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="ntldr") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="MSDOS.SYS") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="IO.SYS") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="boot.ini") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="ntuser.dat") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="desktop.ini") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="CONFIG.SYS") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="RECYCLER") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="bootmgr") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="programdata") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="appdata") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="program files") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="program files (x86)") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="microsoft") returned 1 [0284.630] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="sophos") returned 1 [0284.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.631] PathFindExtensionW (pszPath="UpdateSessionOrchestration.018.etl") returned=".etl" [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.631] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.631] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.631] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.018.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.632] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.632] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.632] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0284.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0284.632] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.633] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.634] GetTickCount () returned 0x1187453 [0284.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.634] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.634] SetLastError (dwErrCode=0x0) [0284.634] WriteFile (in: hFile=0x270, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.636] GetLastError () returned 0x0 [0284.636] GetLastError () returned 0x0 [0284.636] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.636] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.636] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.636] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcff91b00, dwHighDateTime=0x1d5fd73)) [0284.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.636] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.637] GetProcessHeap () returned 0xa10000 [0284.637] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.638] GetSystemDefaultLangID () returned 0xa20409 [0284.638] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.638] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.640] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.640] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.640] GetProcessHeap () returned 0xa10000 [0284.640] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.640] CloseHandle (hObject=0x270) returned 1 [0284.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0284.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0284.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.644] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.644] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.018.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.018.etl.nefilim")) returned 1 [0284.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.645] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x745a10f, ftLastAccessTime.dwHighDateTime=0x1d3aafc, ftLastWriteTime.dwLowDateTime=0x318cac0d, ftLastWriteTime.dwHighDateTime=0x1d3aafc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.019.etl", cAlternateFileName="UP1E42~1.ETL")) returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2=".") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="..") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="...") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="windows") returned -1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="rsa") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="NTDETECT.COM") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="ntldr") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="MSDOS.SYS") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="IO.SYS") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="boot.ini") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="ntuser.dat") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="desktop.ini") returned 1 [0284.645] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="CONFIG.SYS") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="RECYCLER") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="bootmgr") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="programdata") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="appdata") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="program files") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="program files (x86)") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="microsoft") returned 1 [0284.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="sophos") returned 1 [0284.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.646] PathFindExtensionW (pszPath="UpdateSessionOrchestration.019.etl") returned=".etl" [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.646] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.647] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.647] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.647] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.019.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.647] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0284.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.647] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0284.647] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.647] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.649] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.650] GetTickCount () returned 0x1187463 [0284.650] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.650] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.650] SetLastError (dwErrCode=0x0) [0284.650] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.651] GetLastError () returned 0x0 [0284.651] GetLastError () returned 0x0 [0284.652] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.652] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.652] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcffb75ab, dwHighDateTime=0x1d5fd73)) [0284.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.652] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.652] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.652] GetProcessHeap () returned 0xa10000 [0284.652] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.652] GetSystemDefaultLangID () returned 0xa20409 [0284.652] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.652] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.662] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.663] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.663] GetProcessHeap () returned 0xa10000 [0284.663] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.663] CloseHandle (hObject=0x270) returned 1 [0284.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0284.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.665] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.019.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.019.etl.nefilim")) returned 1 [0284.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.666] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd59be406, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xd59be406, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.020.etl", cAlternateFileName="UP597C~1.ETL")) returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2=".") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="..") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="...") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="windows") returned -1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="rsa") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="NTDETECT.COM") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="ntldr") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="MSDOS.SYS") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="IO.SYS") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="boot.ini") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="ntuser.dat") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="desktop.ini") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="CONFIG.SYS") returned 1 [0284.666] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="RECYCLER") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="bootmgr") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="programdata") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="appdata") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="program files") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="program files (x86)") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="microsoft") returned 1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="sophos") returned 1 [0284.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.667] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.667] PathFindExtensionW (pszPath="UpdateSessionOrchestration.020.etl") returned=".etl" [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.667] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.667] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.667] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.020.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.668] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=4096) returned 1 [0284.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0284.668] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.668] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0284.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.668] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.668] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.669] GetTickCount () returned 0x1187472 [0284.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.669] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.669] SetLastError (dwErrCode=0x0) [0284.669] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.670] GetLastError () returned 0x0 [0284.670] GetLastError () returned 0x0 [0284.670] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.670] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.670] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.670] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xcffe1891, dwHighDateTime=0x1d5fd73)) [0284.670] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.670] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.670] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.670] GetProcessHeap () returned 0xa10000 [0284.670] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1000) returned 0xa3f6a8 [0284.670] GetSystemDefaultLangID () returned 0xa20409 [0284.670] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.670] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x1000, lpOverlapped=0x0) returned 1 [0284.672] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.673] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x1000, lpOverlapped=0x0) returned 1 [0284.674] GetProcessHeap () returned 0xa10000 [0284.674] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.674] CloseHandle (hObject=0x270) returned 1 [0284.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0284.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0284.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.675] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.020.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.020.etl.nefilim")) returned 1 [0284.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.676] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x198319d2, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3f449663, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.021.etl", cAlternateFileName="UP0CB7~1.ETL")) returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2=".") returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="..") returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="...") returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="windows") returned -1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="rsa") returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="NTDETECT.COM") returned 1 [0284.676] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="ntldr") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="MSDOS.SYS") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="IO.SYS") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="boot.ini") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="ntuser.dat") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="desktop.ini") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="CONFIG.SYS") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="RECYCLER") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="bootmgr") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="programdata") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="appdata") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="program files") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="program files (x86)") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="microsoft") returned 1 [0284.677] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="sophos") returned 1 [0284.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.677] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.677] PathFindExtensionW (pszPath="UpdateSessionOrchestration.021.etl") returned=".etl" [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.677] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.678] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.678] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.678] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.678] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.678] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.678] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.021.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.678] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0284.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0284.678] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0284.678] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0284.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.678] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.679] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.680] GetTickCount () returned 0x1187482 [0284.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.680] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.680] SetLastError (dwErrCode=0x0) [0284.680] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.681] GetLastError () returned 0x0 [0284.681] GetLastError () returned 0x0 [0284.681] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.681] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.681] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.681] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd000590f, dwHighDateTime=0x1d5fd73)) [0284.681] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.681] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.681] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.681] GetProcessHeap () returned 0xa10000 [0284.682] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.682] GetSystemDefaultLangID () returned 0xa20409 [0284.683] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.683] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.685] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.685] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.685] GetProcessHeap () returned 0xa10000 [0284.685] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.685] CloseHandle (hObject=0x270) returned 1 [0284.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0284.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0284.686] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.686] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.021.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.021.etl.nefilim")) returned 1 [0284.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.687] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1c505b8c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x58b60423, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.022.etl", cAlternateFileName="UPBE04~1.ETL")) returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2=".") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="..") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="...") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="windows") returned -1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="rsa") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="NTDETECT.COM") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="ntldr") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="MSDOS.SYS") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="IO.SYS") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="boot.ini") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.687] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="ntuser.dat") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="desktop.ini") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="CONFIG.SYS") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="RECYCLER") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="bootmgr") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="programdata") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="appdata") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="program files") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="program files (x86)") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="microsoft") returned 1 [0284.688] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="sophos") returned 1 [0284.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.688] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.688] PathFindExtensionW (pszPath="UpdateSessionOrchestration.022.etl") returned=".etl" [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.688] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.689] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.689] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.022.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.689] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.689] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.689] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0284.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.689] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.691] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.692] GetTickCount () returned 0x1187491 [0284.692] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.692] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.692] SetLastError (dwErrCode=0x0) [0284.692] WriteFile (in: hFile=0x270, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.693] GetLastError () returned 0x0 [0284.693] GetLastError () returned 0x0 [0284.693] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.693] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.693] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.693] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd00298da, dwHighDateTime=0x1d5fd73)) [0284.693] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.693] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.694] GetProcessHeap () returned 0xa10000 [0284.694] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.694] GetSystemDefaultLangID () returned 0xa20409 [0284.694] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.694] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.715] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.715] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.715] GetProcessHeap () returned 0xa10000 [0284.715] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.715] CloseHandle (hObject=0x270) returned 1 [0284.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0284.730] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.730] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.730] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.730] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.730] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.022.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.022.etl.nefilim")) returned 1 [0284.732] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.732] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.733] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdaf93ab4, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0x87be9f6, ftLastWriteTime.dwHighDateTime=0x1d38c44, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.023.etl", cAlternateFileName="UPA620~1.ETL")) returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2=".") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="..") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="...") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="windows") returned -1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="rsa") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="NTDETECT.COM") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="ntldr") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="MSDOS.SYS") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="IO.SYS") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="boot.ini") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="ntuser.dat") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="desktop.ini") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="CONFIG.SYS") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="RECYCLER") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="bootmgr") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="programdata") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="appdata") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="program files") returned 1 [0284.733] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="program files (x86)") returned 1 [0284.734] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="microsoft") returned 1 [0284.734] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="sophos") returned 1 [0284.734] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.734] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.734] PathFindExtensionW (pszPath="UpdateSessionOrchestration.023.etl") returned=".etl" [0284.734] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.734] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.734] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.734] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.735] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.735] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.735] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.735] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.023.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.736] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.736] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0284.736] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0284.736] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0284.736] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0284.736] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0284.736] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.736] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.736] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.737] GetTickCount () returned 0x11874b1 [0284.737] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.737] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.737] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.737] SetLastError (dwErrCode=0x0) [0284.737] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.738] GetLastError () returned 0x0 [0284.738] GetLastError () returned 0x0 [0284.738] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.738] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.738] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.738] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd009c0b6, dwHighDateTime=0x1d5fd73)) [0284.739] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.739] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.739] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.739] GetProcessHeap () returned 0xa10000 [0284.739] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.739] GetSystemDefaultLangID () returned 0xa20409 [0284.739] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.739] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.851] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.851] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.851] GetProcessHeap () returned 0xa10000 [0284.851] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.851] CloseHandle (hObject=0x270) returned 1 [0284.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0284.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0284.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0284.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.856] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.023.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.023.etl.nefilim")) returned 1 [0284.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.857] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1977635c, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x1977635c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.024.etl", cAlternateFileName="UP14AB~1.ETL")) returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2=".") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="..") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="...") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="windows") returned -1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="rsa") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="NTDETECT.COM") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="ntldr") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="MSDOS.SYS") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="IO.SYS") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="boot.ini") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="ntuser.dat") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="desktop.ini") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="CONFIG.SYS") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="RECYCLER") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="bootmgr") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="programdata") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="appdata") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="program files") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="program files (x86)") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="microsoft") returned 1 [0284.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="sophos") returned 1 [0284.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.858] PathFindExtensionW (pszPath="UpdateSessionOrchestration.024.etl") returned=".etl" [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.858] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.859] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.859] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.859] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.859] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.024.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.859] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0284.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.860] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0284.860] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0284.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.860] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.860] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.863] GetTickCount () returned 0x118753d [0284.863] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.863] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.863] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.863] SetLastError (dwErrCode=0x0) [0284.863] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.864] GetLastError () returned 0x0 [0284.864] GetLastError () returned 0x0 [0284.864] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.864] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.864] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.864] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd01cdb4b, dwHighDateTime=0x1d5fd73)) [0284.864] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.865] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.865] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.865] GetProcessHeap () returned 0xa10000 [0284.865] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.866] GetSystemDefaultLangID () returned 0xa20409 [0284.866] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.866] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.880] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.880] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.880] GetProcessHeap () returned 0xa10000 [0284.880] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.880] CloseHandle (hObject=0x270) returned 1 [0284.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0284.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0284.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.882] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.024.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.024.etl.nefilim")) returned 1 [0284.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.883] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfc820227, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0x2521b8a4, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.025.etl", cAlternateFileName="UP4198~1.ETL")) returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2=".") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="..") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="...") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="windows") returned -1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="rsa") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="NTDETECT.COM") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="ntldr") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="MSDOS.SYS") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="IO.SYS") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="boot.ini") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.883] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="ntuser.dat") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="desktop.ini") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="CONFIG.SYS") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="RECYCLER") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="bootmgr") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="programdata") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="appdata") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="program files") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="program files (x86)") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="microsoft") returned 1 [0284.884] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="sophos") returned 1 [0284.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.884] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.884] PathFindExtensionW (pszPath="UpdateSessionOrchestration.025.etl") returned=".etl" [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.884] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.885] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.885] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.885] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.885] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.025.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.885] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0284.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0284.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.885] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0284.885] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0284.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.885] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.887] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.889] GetTickCount () returned 0x118754d [0284.889] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.889] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.889] SetLastError (dwErrCode=0x0) [0284.889] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.890] GetLastError () returned 0x0 [0284.890] GetLastError () returned 0x0 [0284.890] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.890] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.890] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.891] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd01f350b, dwHighDateTime=0x1d5fd73)) [0284.891] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.891] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.891] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.891] GetProcessHeap () returned 0xa10000 [0284.891] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0284.891] GetSystemDefaultLangID () returned 0xa20409 [0284.891] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.891] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0284.893] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.893] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0284.893] GetProcessHeap () returned 0xa10000 [0284.893] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.893] CloseHandle (hObject=0x270) returned 1 [0284.895] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0284.895] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.895] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0284.895] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.895] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.895] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.025.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.025.etl.nefilim")) returned 1 [0284.896] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.896] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.896] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfd9caf15, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfd9caf15, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.026.etl", cAlternateFileName="UP96CC~1.ETL")) returned 1 [0284.896] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2=".") returned 1 [0284.896] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="..") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="...") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="windows") returned -1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="rsa") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="NTDETECT.COM") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="ntldr") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="MSDOS.SYS") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="IO.SYS") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="boot.ini") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="ntuser.dat") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="desktop.ini") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="CONFIG.SYS") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="RECYCLER") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.897] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="bootmgr") returned 1 [0284.898] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="programdata") returned 1 [0284.898] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="appdata") returned 1 [0284.898] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="program files") returned 1 [0284.898] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="program files (x86)") returned 1 [0284.898] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="microsoft") returned 1 [0284.898] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="sophos") returned 1 [0284.898] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.898] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.898] PathFindExtensionW (pszPath="UpdateSessionOrchestration.026.etl") returned=".etl" [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.898] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.899] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.899] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.899] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.899] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.899] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.899] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.899] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.899] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.026.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.899] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=4096) returned 1 [0284.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.899] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.899] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0284.899] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.900] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.900] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.900] GetTickCount () returned 0x118755d [0284.900] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.900] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.900] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.900] SetLastError (dwErrCode=0x0) [0284.901] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.902] GetLastError () returned 0x0 [0284.902] GetLastError () returned 0x0 [0284.902] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.902] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.902] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.902] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd0219755, dwHighDateTime=0x1d5fd73)) [0284.902] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.902] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.902] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.902] GetProcessHeap () returned 0xa10000 [0284.902] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1000) returned 0xa3f6a8 [0284.902] GetSystemDefaultLangID () returned 0xa20409 [0284.902] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.902] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x1000, lpOverlapped=0x0) returned 1 [0284.904] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.904] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x1000, lpOverlapped=0x0) returned 1 [0284.904] GetProcessHeap () returned 0xa10000 [0284.904] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.904] CloseHandle (hObject=0x270) returned 1 [0284.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0284.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.907] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.026.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.026.etl.nefilim")) returned 1 [0284.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.909] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xda210f79, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xb10a27a8, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.027.etl", cAlternateFileName="UP7B54~1.ETL")) returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2=".") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="..") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="...") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="windows") returned -1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="rsa") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="NTDETECT.COM") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="ntldr") returned 1 [0284.909] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="MSDOS.SYS") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="IO.SYS") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="boot.ini") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="ntuser.dat") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="desktop.ini") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="CONFIG.SYS") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="RECYCLER") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="bootmgr") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="programdata") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="appdata") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="program files") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="program files (x86)") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="microsoft") returned 1 [0284.910] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="sophos") returned 1 [0284.910] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.910] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.910] PathFindExtensionW (pszPath="UpdateSessionOrchestration.027.etl") returned=".etl" [0284.910] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.910] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.910] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.910] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.910] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.911] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.911] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.911] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.027.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.912] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=20480) returned 1 [0284.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0284.912] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.912] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0284.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0284.912] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.912] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.914] GetTickCount () returned 0x118756c [0284.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.914] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.914] SetLastError (dwErrCode=0x0) [0284.914] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.916] GetLastError () returned 0x0 [0284.916] GetLastError () returned 0x0 [0284.916] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.916] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.916] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd023fb41, dwHighDateTime=0x1d5fd73)) [0284.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.916] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.917] GetProcessHeap () returned 0xa10000 [0284.917] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5000) returned 0xa3f6a8 [0284.918] GetSystemDefaultLangID () returned 0xa20409 [0284.918] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.918] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x5000, lpOverlapped=0x0) returned 1 [0284.921] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.921] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x5000, lpOverlapped=0x0) returned 1 [0284.921] GetProcessHeap () returned 0xa10000 [0284.921] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.922] CloseHandle (hObject=0x270) returned 1 [0284.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0284.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0284.927] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.928] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.027.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.027.etl.nefilim")) returned 1 [0284.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.928] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe0798fd2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x79d33ce, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.028.etl", cAlternateFileName="UPC098~1.ETL")) returned 1 [0284.928] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2=".") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="..") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="...") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="windows") returned -1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="rsa") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="NTDETECT.COM") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="ntldr") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="MSDOS.SYS") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="IO.SYS") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="boot.ini") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="ntuser.dat") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="desktop.ini") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="CONFIG.SYS") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="RECYCLER") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="bootmgr") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="programdata") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="appdata") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="program files") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="program files (x86)") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="microsoft") returned 1 [0284.929] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="sophos") returned 1 [0284.929] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.929] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.929] PathFindExtensionW (pszPath="UpdateSessionOrchestration.028.etl") returned=".etl" [0284.929] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.929] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.929] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.930] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.930] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.930] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.028.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.930] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.930] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0284.931] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.931] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0284.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.931] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.933] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.935] GetTickCount () returned 0x118757c [0284.935] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.935] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.935] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.935] SetLastError (dwErrCode=0x0) [0284.935] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.936] GetLastError () returned 0x0 [0284.936] GetLastError () returned 0x0 [0284.936] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.936] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.936] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.936] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd026c693, dwHighDateTime=0x1d5fd73)) [0284.936] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.937] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.937] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.937] GetProcessHeap () returned 0xa10000 [0284.937] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.937] GetSystemDefaultLangID () returned 0xa20409 [0284.937] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.937] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0284.938] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.938] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0284.938] GetProcessHeap () returned 0xa10000 [0284.939] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.939] CloseHandle (hObject=0x270) returned 1 [0284.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0284.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0284.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0284.944] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.944] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.028.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.028.etl.nefilim")) returned 1 [0284.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.945] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd7a24386, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x56762f51, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.029.etl", cAlternateFileName="UP16CC~1.ETL")) returned 1 [0284.945] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2=".") returned 1 [0284.945] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="..") returned 1 [0284.945] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="...") returned 1 [0284.945] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="windows") returned -1 [0284.945] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="rsa") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="NTDETECT.COM") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="ntldr") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="MSDOS.SYS") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="IO.SYS") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="boot.ini") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="ntuser.dat") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="desktop.ini") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="CONFIG.SYS") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="RECYCLER") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="bootmgr") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="programdata") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="appdata") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="program files") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="program files (x86)") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="microsoft") returned 1 [0284.946] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="sophos") returned 1 [0284.946] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.946] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.946] PathFindExtensionW (pszPath="UpdateSessionOrchestration.029.etl") returned=".etl" [0284.946] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.946] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.946] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.946] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.947] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.947] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.947] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.029.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.029.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.947] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=16384) returned 1 [0284.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0284.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0284.947] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0284.948] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0284.948] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0284.948] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0284.948] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.948] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.948] GetTickCount () returned 0x118758b [0284.948] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.948] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.948] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.948] SetLastError (dwErrCode=0x0) [0284.948] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.949] GetLastError () returned 0x0 [0284.949] GetLastError () returned 0x0 [0284.949] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.950] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.950] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd02955a9, dwHighDateTime=0x1d5fd73)) [0284.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.950] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.950] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.950] GetProcessHeap () returned 0xa10000 [0284.950] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4000) returned 0xa3f6a8 [0284.950] GetSystemDefaultLangID () returned 0xa20409 [0284.950] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.950] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x4000, lpOverlapped=0x0) returned 1 [0284.952] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.952] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x4000, lpOverlapped=0x0) returned 1 [0284.952] GetProcessHeap () returned 0xa10000 [0284.952] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0284.952] CloseHandle (hObject=0x270) returned 1 [0284.955] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0284.955] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0284.955] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0284.955] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0284.955] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0284.955] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.029.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.029.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.029.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.029.etl.nefilim")) returned 1 [0284.956] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0284.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0284.957] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1fc4717b, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x46bc7f04, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.030.etl", cAlternateFileName="UPDA92~1.ETL")) returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2=".") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="..") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="...") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="windows") returned -1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="$RECYCLE.BIN") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="rsa") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="NTDETECT.COM") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="ntldr") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="MSDOS.SYS") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="IO.SYS") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="boot.ini") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="AUTOEXEC.BAT") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="ntuser.dat") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="desktop.ini") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="CONFIG.SYS") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="RECYCLER") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="BOOTSECT.BAK") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="bootmgr") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="programdata") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="appdata") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="program files") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="program files (x86)") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="microsoft") returned 1 [0284.957] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="sophos") returned 1 [0284.957] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0284.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0284.958] PathFindExtensionW (pszPath="UpdateSessionOrchestration.030.etl") returned=".etl" [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0284.958] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0284.958] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0284.958] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0284.958] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.030.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.030.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0284.959] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0284.959] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0284.959] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0284.959] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0284.959] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0284.959] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0284.959] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0284.959] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0284.959] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0284.960] GetTickCount () returned 0x118759b [0284.960] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0284.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.961] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.961] SetLastError (dwErrCode=0x0) [0284.961] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.962] GetLastError () returned 0x0 [0284.962] GetLastError () returned 0x0 [0284.962] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.962] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0284.962] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.962] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd02b21c5, dwHighDateTime=0x1d5fd73)) [0284.962] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0284.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0284.962] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0284.962] GetProcessHeap () returned 0xa10000 [0284.962] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0284.963] GetSystemDefaultLangID () returned 0xa20409 [0284.963] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0284.963] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.384] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.384] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.384] GetProcessHeap () returned 0xa10000 [0285.384] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.385] CloseHandle (hObject=0x270) returned 1 [0285.395] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.395] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.395] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.395] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0285.395] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.395] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.030.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.030.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.030.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.030.etl.nefilim")) returned 1 [0285.396] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.396] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.396] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x22cb9437, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x911dff9b, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.031.etl", cAlternateFileName="UPBF2A~1.ETL")) returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2=".") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="..") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="...") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="windows") returned -1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="rsa") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="NTDETECT.COM") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="ntldr") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="MSDOS.SYS") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="IO.SYS") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="boot.ini") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="ntuser.dat") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="desktop.ini") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="CONFIG.SYS") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="RECYCLER") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="bootmgr") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="programdata") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="appdata") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="program files") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="program files (x86)") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="microsoft") returned 1 [0285.397] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="sophos") returned 1 [0285.397] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.397] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.397] PathFindExtensionW (pszPath="UpdateSessionOrchestration.031.etl") returned=".etl" [0285.397] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.398] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.398] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.398] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.031.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.031.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.398] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0285.398] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0285.398] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.398] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0285.399] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0285.399] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0285.399] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.400] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.401] GetTickCount () returned 0x1187751 [0285.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.401] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.401] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.401] SetLastError (dwErrCode=0x0) [0285.401] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.402] GetLastError () returned 0x0 [0285.402] GetLastError () returned 0x0 [0285.402] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.403] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.403] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.403] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd06e268c, dwHighDateTime=0x1d5fd73)) [0285.403] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.403] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.403] GetProcessHeap () returned 0xa10000 [0285.403] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0285.403] GetSystemDefaultLangID () returned 0xa20409 [0285.403] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.403] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0285.405] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.405] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0285.406] GetProcessHeap () returned 0xa10000 [0285.406] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.406] CloseHandle (hObject=0x270) returned 1 [0285.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0285.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0285.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0285.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.410] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.410] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.031.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.031.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.031.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.031.etl.nefilim")) returned 1 [0285.411] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.411] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.411] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8f4581c2, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0xb62eafb0, ftLastWriteTime.dwHighDateTime=0x1d327b9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.032.etl", cAlternateFileName="UP750B~1.ETL")) returned 1 [0285.411] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2=".") returned 1 [0285.411] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="..") returned 1 [0285.411] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="...") returned 1 [0285.411] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="windows") returned -1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="rsa") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="NTDETECT.COM") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="ntldr") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="MSDOS.SYS") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="IO.SYS") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="boot.ini") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="ntuser.dat") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="desktop.ini") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="CONFIG.SYS") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="RECYCLER") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="bootmgr") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="programdata") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="appdata") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="program files") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="program files (x86)") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="microsoft") returned 1 [0285.412] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="sophos") returned 1 [0285.412] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.412] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.412] PathFindExtensionW (pszPath="UpdateSessionOrchestration.032.etl") returned=".etl" [0285.412] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.412] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.412] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.412] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.413] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.413] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.413] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.032.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.032.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.413] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0285.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0285.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.414] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0285.414] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.414] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.414] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0285.414] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.414] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.415] GetTickCount () returned 0x1187760 [0285.415] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.415] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.415] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.415] SetLastError (dwErrCode=0x0) [0285.415] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.416] GetLastError () returned 0x0 [0285.416] GetLastError () returned 0x0 [0285.416] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.416] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.416] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.416] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd07044d6, dwHighDateTime=0x1d5fd73)) [0285.416] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.416] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.417] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.417] GetProcessHeap () returned 0xa10000 [0285.417] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0285.417] GetSystemDefaultLangID () returned 0xa20409 [0285.417] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.417] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.418] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.418] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.418] GetProcessHeap () returned 0xa10000 [0285.418] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.419] CloseHandle (hObject=0x270) returned 1 [0285.420] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.420] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.420] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0285.420] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.420] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.420] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.032.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.032.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.032.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.032.etl.nefilim")) returned 1 [0285.421] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.421] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.421] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7f83b96b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x82808de1, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.033.etl", cAlternateFileName="UP6487~1.ETL")) returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2=".") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="..") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="...") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="windows") returned -1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="rsa") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="NTDETECT.COM") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="ntldr") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="MSDOS.SYS") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="IO.SYS") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="boot.ini") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="ntuser.dat") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="desktop.ini") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="CONFIG.SYS") returned 1 [0285.421] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="RECYCLER") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="bootmgr") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="programdata") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="appdata") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="program files") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="program files (x86)") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="microsoft") returned 1 [0285.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="sophos") returned 1 [0285.422] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.422] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.422] PathFindExtensionW (pszPath="UpdateSessionOrchestration.033.etl") returned=".etl" [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.422] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.423] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.423] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.423] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.033.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.033.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.423] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0285.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0285.423] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.423] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0285.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0285.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0285.423] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.424] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.463] GetTickCount () returned 0x118778f [0285.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.464] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.464] SetLastError (dwErrCode=0x0) [0285.464] WriteFile (in: hFile=0x270, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.466] GetLastError () returned 0x0 [0285.466] GetLastError () returned 0x0 [0285.466] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.466] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.467] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd0776d0e, dwHighDateTime=0x1d5fd73)) [0285.467] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.467] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.468] GetProcessHeap () returned 0xa10000 [0285.468] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0285.469] GetSystemDefaultLangID () returned 0xa20409 [0285.469] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.469] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.472] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.472] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.474] GetProcessHeap () returned 0xa10000 [0285.474] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.474] CloseHandle (hObject=0x270) returned 1 [0285.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0285.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0285.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0285.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.476] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.033.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.033.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.033.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.033.etl.nefilim")) returned 1 [0285.478] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.478] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.478] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcae2810e, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xf21e09d1, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.034.etl", cAlternateFileName="UP1073~1.ETL")) returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2=".") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="..") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="...") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="windows") returned -1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="rsa") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="NTDETECT.COM") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="ntldr") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="MSDOS.SYS") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="IO.SYS") returned 1 [0285.479] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="boot.ini") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="ntuser.dat") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="desktop.ini") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="CONFIG.SYS") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="RECYCLER") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="bootmgr") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="programdata") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="appdata") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="program files") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="program files (x86)") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="microsoft") returned 1 [0285.480] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="sophos") returned 1 [0285.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.481] PathFindExtensionW (pszPath="UpdateSessionOrchestration.034.etl") returned=".etl" [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.481] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.482] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.482] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.482] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.482] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.034.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.034.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.483] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0285.483] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0285.483] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.483] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0285.483] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.483] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.483] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0285.483] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.487] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.490] GetTickCount () returned 0x11877ae [0285.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.490] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.490] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.490] SetLastError (dwErrCode=0x0) [0285.491] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.493] GetLastError () returned 0x0 [0285.493] GetLastError () returned 0x0 [0285.494] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.494] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.494] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.494] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd07c2f74, dwHighDateTime=0x1d5fd73)) [0285.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.494] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.494] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.495] GetProcessHeap () returned 0xa10000 [0285.495] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0285.495] GetSystemDefaultLangID () returned 0xa20409 [0285.495] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.495] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.497] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.497] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.497] GetProcessHeap () returned 0xa10000 [0285.497] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.497] CloseHandle (hObject=0x270) returned 1 [0285.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0285.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0285.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.506] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.507] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.034.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.034.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.034.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.034.etl.nefilim")) returned 1 [0285.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.509] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcd491119, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x2e5f9ec7, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.035.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2=".") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="..") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="...") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="windows") returned -1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="rsa") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="NTDETECT.COM") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="ntldr") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="MSDOS.SYS") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="IO.SYS") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="boot.ini") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="ntuser.dat") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="desktop.ini") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="CONFIG.SYS") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="RECYCLER") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="bootmgr") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="programdata") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="appdata") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="program files") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="program files (x86)") returned 1 [0285.509] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="microsoft") returned 1 [0285.510] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="sophos") returned 1 [0285.510] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.510] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.510] PathFindExtensionW (pszPath="UpdateSessionOrchestration.035.etl") returned=".etl" [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.510] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.510] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.510] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.510] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.035.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.035.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.511] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=16384) returned 1 [0285.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0285.511] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.511] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0285.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0285.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0285.511] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.512] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.512] GetTickCount () returned 0x11877be [0285.512] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.512] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.512] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.512] SetLastError (dwErrCode=0x0) [0285.512] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.514] GetLastError () returned 0x0 [0285.514] GetLastError () returned 0x0 [0285.514] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.514] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.514] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd07ea94c, dwHighDateTime=0x1d5fd73)) [0285.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.514] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.514] GetProcessHeap () returned 0xa10000 [0285.514] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4000) returned 0xa3f6a8 [0285.514] GetSystemDefaultLangID () returned 0xa20409 [0285.514] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.514] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x4000, lpOverlapped=0x0) returned 1 [0285.516] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.516] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x4000, lpOverlapped=0x0) returned 1 [0285.521] GetProcessHeap () returned 0xa10000 [0285.521] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.521] CloseHandle (hObject=0x270) returned 1 [0285.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0285.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.523] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.035.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.035.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.035.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.035.etl.nefilim")) returned 1 [0285.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.524] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb30910b4, ftLastAccessTime.dwHighDateTime=0x1d3278b, ftLastWriteTime.dwLowDateTime=0xe1a1828d, ftLastWriteTime.dwHighDateTime=0x1d3278b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.036.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1 [0285.524] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2=".") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="..") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="...") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="windows") returned -1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="rsa") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="NTDETECT.COM") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="ntldr") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="MSDOS.SYS") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="IO.SYS") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="boot.ini") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="ntuser.dat") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="desktop.ini") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="CONFIG.SYS") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="RECYCLER") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="bootmgr") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="programdata") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="appdata") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="program files") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="program files (x86)") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="microsoft") returned 1 [0285.525] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="sophos") returned 1 [0285.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.525] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.525] PathFindExtensionW (pszPath="UpdateSessionOrchestration.036.etl") returned=".etl" [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.526] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.526] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.526] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.036.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.036.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.527] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=16384) returned 1 [0285.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.527] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.527] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0285.527] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.527] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.529] GetTickCount () returned 0x11877ce [0285.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.529] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.529] SetLastError (dwErrCode=0x0) [0285.529] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.530] GetLastError () returned 0x0 [0285.530] GetLastError () returned 0x0 [0285.530] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.531] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.531] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd080f565, dwHighDateTime=0x1d5fd73)) [0285.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.531] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.531] GetProcessHeap () returned 0xa10000 [0285.531] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4000) returned 0xa3f6a8 [0285.532] GetSystemDefaultLangID () returned 0xa20409 [0285.532] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.532] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x4000, lpOverlapped=0x0) returned 1 [0285.535] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.535] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x4000, lpOverlapped=0x0) returned 1 [0285.535] GetProcessHeap () returned 0xa10000 [0285.535] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.536] CloseHandle (hObject=0x270) returned 1 [0285.539] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.539] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0285.539] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.539] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.539] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.539] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.036.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.036.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.036.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.036.etl.nefilim")) returned 1 [0285.541] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.541] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.541] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbda7099b, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xe19a12b7, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.037.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2=".") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="..") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="...") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="windows") returned -1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="rsa") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="NTDETECT.COM") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="ntldr") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="MSDOS.SYS") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="IO.SYS") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="boot.ini") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="ntuser.dat") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="desktop.ini") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="CONFIG.SYS") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="RECYCLER") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="bootmgr") returned 1 [0285.541] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="programdata") returned 1 [0285.542] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="appdata") returned 1 [0285.542] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="program files") returned 1 [0285.542] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="program files (x86)") returned 1 [0285.542] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="microsoft") returned 1 [0285.542] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="sophos") returned 1 [0285.542] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.542] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.542] PathFindExtensionW (pszPath="UpdateSessionOrchestration.037.etl") returned=".etl" [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.542] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.543] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.543] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.543] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.543] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.543] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.037.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.037.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.543] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0285.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0285.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0285.543] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0285.543] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0285.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0285.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0285.543] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.546] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.548] GetTickCount () returned 0x11877dd [0285.548] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.548] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.548] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.548] SetLastError (dwErrCode=0x0) [0285.548] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.550] GetLastError () returned 0x0 [0285.550] GetLastError () returned 0x0 [0285.550] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.550] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.550] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd085bb5c, dwHighDateTime=0x1d5fd73)) [0285.550] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.550] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.551] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.551] GetProcessHeap () returned 0xa10000 [0285.551] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0285.551] GetSystemDefaultLangID () returned 0xa20409 [0285.551] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.551] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.552] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.553] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.553] GetProcessHeap () returned 0xa10000 [0285.553] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.553] CloseHandle (hObject=0x270) returned 1 [0285.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0285.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0285.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0285.555] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.555] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.037.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.037.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.037.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.037.etl.nefilim")) returned 1 [0285.556] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.556] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.556] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa972a1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x266bdfb9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.038.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2=".") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="..") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="...") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="windows") returned -1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="rsa") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="NTDETECT.COM") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="ntldr") returned 1 [0285.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="MSDOS.SYS") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="IO.SYS") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="boot.ini") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="ntuser.dat") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="desktop.ini") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="CONFIG.SYS") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="RECYCLER") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="bootmgr") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="programdata") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="appdata") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="program files") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="program files (x86)") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="microsoft") returned 1 [0285.557] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="sophos") returned 1 [0285.557] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de3b0 [0285.557] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.557] PathFindExtensionW (pszPath="UpdateSessionOrchestration.038.etl") returned=".etl" [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.557] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.558] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.558] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.558] lstrcmpiW (lpString1="UpdateSessionOrchestration.038.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de318 [0285.558] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.038.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.038.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.558] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0285.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0285.558] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.558] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0285.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0285.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0285.558] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.559] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.559] GetTickCount () returned 0x11877ed [0285.559] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.559] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.559] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.559] SetLastError (dwErrCode=0x0) [0285.559] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.560] GetLastError () returned 0x0 [0285.560] GetLastError () returned 0x0 [0285.560] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.560] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.560] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.560] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd085bb5c, dwHighDateTime=0x1d5fd73)) [0285.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.560] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.561] GetProcessHeap () returned 0xa10000 [0285.561] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0285.561] GetSystemDefaultLangID () returned 0xa20409 [0285.561] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.561] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.562] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.562] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.562] GetProcessHeap () returned 0xa10000 [0285.562] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.562] CloseHandle (hObject=0x270) returned 1 [0285.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0285.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0285.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de448 [0285.568] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.038.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.038.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.038.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.038.etl.nefilim")) returned 1 [0285.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de448 | out: hHeap=0x28d0000) returned 1 [0285.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.569] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x8243765a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x889a9e61, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2=".") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="..") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="...") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="windows") returned -1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="rsa") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="NTDETECT.COM") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="ntldr") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="MSDOS.SYS") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="IO.SYS") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="boot.ini") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="ntuser.dat") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="desktop.ini") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="CONFIG.SYS") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="RECYCLER") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="bootmgr") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="programdata") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="appdata") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="program files") returned 1 [0285.569] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="program files (x86)") returned 1 [0285.570] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="microsoft") returned 1 [0285.570] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="sophos") returned 1 [0285.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0285.570] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3b0 | out: hHeap=0x28d0000) returned 1 [0285.570] PathFindExtensionW (pszPath="UpdateUx.001.etl") returned=".etl" [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.570] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.570] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de390 [0285.570] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.571] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=8192) returned 1 [0285.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0285.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.571] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0285.571] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0285.571] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.571] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.572] GetTickCount () returned 0x11877fc [0285.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.573] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.573] SetLastError (dwErrCode=0x0) [0285.573] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.574] GetLastError () returned 0x0 [0285.574] GetLastError () returned 0x0 [0285.574] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.574] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.574] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.574] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd088721b, dwHighDateTime=0x1d5fd73)) [0285.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.574] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.574] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.574] GetProcessHeap () returned 0xa10000 [0285.574] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2000) returned 0xa3f6a8 [0285.575] GetSystemDefaultLangID () returned 0xa20409 [0285.575] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.575] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2000, lpOverlapped=0x0) returned 1 [0285.577] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.577] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2000, lpOverlapped=0x0) returned 1 [0285.577] GetProcessHeap () returned 0xa10000 [0285.577] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.577] CloseHandle (hObject=0x270) returned 1 [0285.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0285.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0285.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de408 [0285.579] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.001.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.001.etl.nefilim")) returned 1 [0285.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0285.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0285.580] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x7e0bea63, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UP1018~1.ETL")) returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2=".") returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="..") returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="...") returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="windows") returned -1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="rsa") returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="NTDETECT.COM") returned 1 [0285.580] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="ntldr") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="MSDOS.SYS") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="IO.SYS") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="boot.ini") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="ntuser.dat") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="desktop.ini") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="CONFIG.SYS") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="RECYCLER") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="bootmgr") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="programdata") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="appdata") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="program files") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="program files (x86)") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="microsoft") returned 1 [0285.581] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="sophos") returned 1 [0285.581] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de390 [0285.581] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.581] PathFindExtensionW (pszPath="UpdateUx.002.etl") returned=".etl" [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0285.581] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0285.582] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0285.582] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0285.582] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0285.582] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0285.582] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.582] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de318 [0285.582] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0285.584] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12288) returned 1 [0285.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.584] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.584] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0285.584] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0285.584] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0285.586] GetTickCount () returned 0x118780c [0285.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0285.586] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.586] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.586] SetLastError (dwErrCode=0x0) [0285.586] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.587] GetLastError () returned 0x0 [0285.587] GetLastError () returned 0x0 [0285.587] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.587] WriteFile (in: hFile=0x270, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0285.587] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.587] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd08a7f36, dwHighDateTime=0x1d5fd73)) [0285.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0285.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0285.587] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0285.587] GetProcessHeap () returned 0xa10000 [0285.587] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3000) returned 0xa3f6a8 [0285.588] GetSystemDefaultLangID () returned 0xa20409 [0285.588] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.588] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3000, lpOverlapped=0x0) returned 1 [0285.592] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.592] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3000, lpOverlapped=0x0) returned 1 [0285.592] GetProcessHeap () returned 0xa10000 [0285.592] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0285.592] CloseHandle (hObject=0x270) returned 1 [0285.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0285.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de408 [0285.596] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.002.etl.nefilim")) returned 1 [0285.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0285.615] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.615] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x7e0bea63, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UP1018~1.ETL")) returned 0 [0285.615] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0285.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0285.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0285.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.616] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc3cd5f58, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xc3cd5f58, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="Logs", cAlternateFileName="")) returned 0 [0285.616] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0285.617] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0285.617] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.617] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.617] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2=".") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="..") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="...") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="windows") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="$RECYCLE.BIN") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="rsa") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="NTDETECT.COM") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="ntldr") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="MSDOS.SYS") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="IO.SYS") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="boot.ini") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="AUTOEXEC.BAT") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="ntuser.dat") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="desktop.ini") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="CONFIG.SYS") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="RECYCLER") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="BOOTSECT.BAK") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="bootmgr") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="programdata") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="appdata") returned 1 [0285.617] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="program files") returned 1 [0285.618] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="program files (x86)") returned 1 [0285.618] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="microsoft") returned 1 [0285.618] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="sophos") returned 1 [0285.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd50 [0285.618] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0285.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdb8 [0285.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe20 [0285.618] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\WindowsHolographicDevices\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0285.619] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.619] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 1 [0285.619] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.619] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.619] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 1 [0285.619] lstrcmpiW (lpString1="SpatialStore", lpString2=".") returned 1 [0285.619] lstrcmpiW (lpString1="SpatialStore", lpString2="..") returned 1 [0285.619] lstrcmpiW (lpString1="SpatialStore", lpString2="...") returned 1 [0285.619] lstrcmpiW (lpString1="SpatialStore", lpString2="windows") returned -1 [0285.619] lstrcmpiW (lpString1="SpatialStore", lpString2="$RECYCLE.BIN") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="rsa") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="NTDETECT.COM") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="ntldr") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="MSDOS.SYS") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="IO.SYS") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="boot.ini") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="AUTOEXEC.BAT") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="ntuser.dat") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="desktop.ini") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="CONFIG.SYS") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="RECYCLER") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="BOOTSECT.BAK") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="bootmgr") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="programdata") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="appdata") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="program files") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="program files (x86)") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="microsoft") returned 1 [0285.620] lstrcmpiW (lpString1="SpatialStore", lpString2="sophos") returned 1 [0285.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de318 [0285.620] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe20 | out: hHeap=0x28d0000) returned 1 [0285.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe20 [0285.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de3a0 [0285.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de428 [0285.620] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0285.621] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.621] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.622] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.622] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.622] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0285.622] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0285.622] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de428 | out: hHeap=0x28d0000) returned 1 [0285.622] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3a0 | out: hHeap=0x28d0000) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe20 | out: hHeap=0x28d0000) returned 1 [0285.623] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x9b00019a, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 0 [0285.623] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb8 | out: hHeap=0x28d0000) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.623] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0285.623] FindClose (in: hFindFile=0xa2f4a0 | out: hFindFile=0xa2f4a0) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0285.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0285.623] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x9, cFileName="Default", cAlternateFileName="")) returned 1 [0285.623] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0285.623] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0285.623] lstrcmpiW (lpString1="Default", lpString2="...") returned 1 [0285.623] lstrcmpiW (lpString1="Default", lpString2="windows") returned -1 [0285.623] lstrcmpiW (lpString1="Default", lpString2="$RECYCLE.BIN") returned 1 [0285.623] lstrcmpiW (lpString1="Default", lpString2="rsa") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="NTDETECT.COM") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="ntldr") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="MSDOS.SYS") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="IO.SYS") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="boot.ini") returned 1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="AUTOEXEC.BAT") returned 1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="ntuser.dat") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="desktop.ini") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="CONFIG.SYS") returned 1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="RECYCLER") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="BOOTSECT.BAK") returned 1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="bootmgr") returned 1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="programdata") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="appdata") returned 1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="program files") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="program files (x86)") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="microsoft") returned -1 [0285.624] lstrcmpiW (lpString1="Default", lpString2="sophos") returned -1 [0285.624] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0285.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0285.624] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0285.624] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0285.624] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0285.624] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0285.625] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.625] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.626] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.626] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.626] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0285.626] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0285.626] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="microsoft") returned -1 [0285.627] lstrcmpiW (lpString1="Application Data", lpString2="sophos") returned -1 [0285.627] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcf8 [0285.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd50 [0285.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda8 [0285.628] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0285.628] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x1d32743, ftCreationTime.dwHighDateTime=0x9b00019a, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01뵐ʍ본ʍD")) returned 0xffffffff [0285.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0285.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.628] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.628] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="$RECYCLE.BIN") returned 1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="NTDETECT.COM") returned -1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="ntldr") returned -1 [0285.628] lstrcmpiW (lpString1="Cookies", lpString2="MSDOS.SYS") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="IO.SYS") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="boot.ini") returned 1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="AUTOEXEC.BAT") returned 1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="desktop.ini") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="CONFIG.SYS") returned 1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="RECYCLER") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="BOOTSECT.BAK") returned 1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="microsoft") returned -1 [0285.629] lstrcmpiW (lpString1="Cookies", lpString2="sophos") returned -1 [0285.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0285.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.629] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x1d32743, ftCreationTime.dwHighDateTime=0x2e00002e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뵐ʍ2")) returned 0xffffffff [0285.630] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.630] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.630] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.630] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0285.630] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0285.631] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0285.631] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0285.631] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0285.631] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0285.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.631] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.631] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f7e0 [0285.631] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.631] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.631] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.631] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.631] FindNextFileW (in: hFindFile=0xa2f7e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0285.631] FindClose (in: hFindFile=0xa2f7e0 | out: hFindFile=0xa2f7e0) returned 1 [0285.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.636] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0285.636] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0285.637] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0285.637] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0285.637] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0285.637] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0285.637] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.637] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.637] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.637] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.637] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.637] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0285.640] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.640] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.640] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.640] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.640] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0285.640] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0285.641] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0285.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbde0 [0285.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe38 [0285.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe90 [0285.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de318 [0285.641] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff6cd8, ftCreationTime.dwHighDateTime=0x9b00019a, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01븸ʍ뷠ʍH")) returned 0xffffffff [0285.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe38 | out: hHeap=0x28d0000) returned 1 [0285.644] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0285.644] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0285.645] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0285.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe38 [0285.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde0 | out: hHeap=0x28d0000) returned 1 [0285.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe90 [0285.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0285.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de318 [0285.645] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x4000004, ftCreationTime.dwLowDateTime=0xffff6cd8, ftCreationTime.dwHighDateTime=0x14000014, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01뺐ʍ븸ʍN")) returned 0xffffffff [0285.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.645] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0285.645] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0285.646] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0285.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe90 [0285.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe38 | out: hHeap=0x28d0000) returned 1 [0285.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0285.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0285.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de318 [0285.646] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff6cd8, ftCreationTime.dwHighDateTime=0x9b00019a, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x4000004, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x14000014, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01붘ʍ뺐ʍJ")) returned 0xffffffff [0285.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0285.647] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.647] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0285.647] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0285.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.648] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0285.648] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0285.649] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0285.649] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0285.649] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0285.649] lstrcmpiW (lpString1="Downloads", lpString2="microsoft") returned -1 [0285.649] lstrcmpiW (lpString1="Downloads", lpString2="sophos") returned -1 [0285.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.649] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0285.649] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.649] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.649] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.649] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.649] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0285.649] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0285.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.650] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0285.650] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0285.651] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0285.651] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0285.651] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0285.651] lstrcmpiW (lpString1="Favorites", lpString2="microsoft") returned -1 [0285.651] lstrcmpiW (lpString1="Favorites", lpString2="sophos") returned -1 [0285.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.651] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0285.660] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.660] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.660] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.660] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.660] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0285.660] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0285.660] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.660] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.660] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.660] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0285.660] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0285.660] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0285.660] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0285.660] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0285.660] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0285.660] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0285.660] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="microsoft") returned -1 [0285.661] lstrcmpiW (lpString1="Links", lpString2="sophos") returned -1 [0285.661] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0285.661] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.661] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0285.661] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd30 [0285.661] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd68 [0285.661] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0285.661] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.661] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.662] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.662] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.662] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0285.662] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0285.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0285.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd30 | out: hHeap=0x28d0000) returned 1 [0285.662] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0285.662] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="$RECYCLE.BIN") returned 1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="NTDETECT.COM") returned -1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="ntldr") returned -1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="MSDOS.SYS") returned -1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="IO.SYS") returned 1 [0285.662] lstrcmpiW (lpString1="Local Settings", lpString2="boot.ini") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="AUTOEXEC.BAT") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="desktop.ini") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="CONFIG.SYS") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="RECYCLER") returned -1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="BOOTSECT.BAK") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="microsoft") returned -1 [0285.663] lstrcmpiW (lpString1="Local Settings", lpString2="sophos") returned -1 [0285.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcf8 [0285.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x5e) returned 0x28dbd40 [0285.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0285.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0285.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda8 [0285.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0285.663] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x2c00002c, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9b00019a, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뵀ʍ@")) returned 0xffffffff [0285.664] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0285.664] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.664] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.664] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0285.664] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0285.665] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0285.665] lstrcmpiW (lpString1="Music", lpString2="microsoft") returned 1 [0285.665] lstrcmpiW (lpString1="Music", lpString2="sophos") returned -1 [0285.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0285.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0285.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcf8 [0285.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd30 [0285.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd68 [0285.665] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9b00019a, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0285.666] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.666] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 1 [0285.666] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.666] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.666] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9b00019a, cFileName="..", cAlternateFileName="")) returned 0 [0285.666] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0285.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd68 | out: hHeap=0x28d0000) returned 1 [0285.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd30 | out: hHeap=0x28d0000) returned 1 [0285.666] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0285.667] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="$RECYCLE.BIN") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="NTDETECT.COM") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="ntldr") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="MSDOS.SYS") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="IO.SYS") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="boot.ini") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="AUTOEXEC.BAT") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="desktop.ini") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="CONFIG.SYS") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="RECYCLER") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="BOOTSECT.BAK") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="microsoft") returned 1 [0285.667] lstrcmpiW (lpString1="My Documents", lpString2="sophos") returned -1 [0285.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcf8 [0285.668] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd40 [0285.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd88 [0285.668] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdd0 [0285.668] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x9b00019a, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9b00019a, cFileName="", cAlternateFileName="ɮ⊺\x01뵀ʍ본ʍ<")) returned 0xffffffff [0285.668] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd0 | out: hHeap=0x28d0000) returned 1 [0285.668] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0285.668] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0285.668] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="$RECYCLE.BIN") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="NTDETECT.COM") returned -1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="ntldr") returned -1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="MSDOS.SYS") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="IO.SYS") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="boot.ini") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="AUTOEXEC.BAT") returned 1 [0285.668] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="desktop.ini") returned 1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="CONFIG.SYS") returned 1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="RECYCLER") returned -1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="BOOTSECT.BAK") returned 1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="microsoft") returned 1 [0285.669] lstrcmpiW (lpString1="NetHood", lpString2="sophos") returned -1 [0285.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd40 [0285.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0285.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd88 [0285.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdd0 [0285.669] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x30000030, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x9b00019a, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9b00019a, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뵀ʍ2")) returned 0xffffffff [0285.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd0 | out: hHeap=0x28d0000) returned 1 [0285.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd88 | out: hHeap=0x28d0000) returned 1 [0285.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.669] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x19fa8eb, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x19fa8eb, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$RECYCLE.BIN") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTDETECT.COM") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntldr") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="MSDOS.SYS") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="IO.SYS") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot.ini") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0285.670] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="...") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="windows") returned -1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="rsa") returned -1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NTDETECT.COM") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntldr") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="MSDOS.SYS") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="IO.SYS") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="boot.ini") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat") returned 1 [0285.670] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="desktop.ini") returned 1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="CONFIG.SYS") returned 1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="RECYCLER") returned -1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="BOOTSECT.BAK") returned 1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="bootmgr") returned 1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="programdata") returned -1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="appdata") returned 1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files") returned -1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files (x86)") returned -1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="microsoft") returned 1 [0285.671] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="sophos") returned -1 [0285.671] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0285.671] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0285.671] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0285.671] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0285.672] lstrcmpiW (lpString1=".LOG1", lpString2=".NEFILIM") returned -1 [0285.672] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0285.672] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0285.672] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0285.672] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.672] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=24576) returned 1 [0285.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.672] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.672] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0285.672] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0285.673] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.674] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.676] GetTickCount () returned 0x118786a [0285.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd70 [0285.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.676] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x6000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.676] SetLastError (dwErrCode=0x0) [0285.676] WriteFile (in: hFile=0x23c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.678] GetLastError () returned 0x0 [0285.678] GetLastError () returned 0x0 [0285.678] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x6100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.678] WriteFile (in: hFile=0x23c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.678] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x6200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.678] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd098cdf9, dwHighDateTime=0x1d5fd73)) [0285.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd70 [0285.678] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.678] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.678] GetProcessHeap () returned 0xa10000 [0285.678] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x6000) returned 0xa3e6a0 [0285.678] GetSystemDefaultLangID () returned 0xa20409 [0285.679] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.679] ReadFile (in: hFile=0x23c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eef8c*=0x6000, lpOverlapped=0x0) returned 1 [0285.681] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.681] WriteFile (in: hFile=0x23c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eef80*=0x6000, lpOverlapped=0x0) returned 1 [0285.681] GetProcessHeap () returned 0xa10000 [0285.681] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0285.681] CloseHandle (hObject=0x23c) returned 1 [0285.684] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.684] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.685] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.685] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.685] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0285.685] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat.log1.nefilim")) returned 1 [0285.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0285.686] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="...") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="windows") returned -1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="rsa") returned -1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NTDETECT.COM") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntldr") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="MSDOS.SYS") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="IO.SYS") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="boot.ini") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="desktop.ini") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="CONFIG.SYS") returned 1 [0285.686] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="RECYCLER") returned -1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="BOOTSECT.BAK") returned 1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="bootmgr") returned 1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="programdata") returned -1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="appdata") returned 1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files") returned -1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files (x86)") returned -1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="microsoft") returned 1 [0285.687] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="sophos") returned -1 [0285.687] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0285.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.687] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0285.687] lstrcmpiW (lpString1=".LOG2", lpString2=".NEFILIM") returned -1 [0285.688] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0285.688] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0285.688] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0285.688] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.688] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=20480) returned 1 [0285.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0285.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.688] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0285.688] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0285.688] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.689] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.689] GetTickCount () returned 0x118786a [0285.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd70 [0285.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.689] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x5000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.689] SetLastError (dwErrCode=0x0) [0285.689] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.691] GetLastError () returned 0x0 [0285.691] GetLastError () returned 0x0 [0285.691] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x5100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.691] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.691] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x5200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.691] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd09b304e, dwHighDateTime=0x1d5fd73)) [0285.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd70 [0285.691] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.691] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.691] GetProcessHeap () returned 0xa10000 [0285.691] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5000) returned 0xa3e6a0 [0285.691] GetSystemDefaultLangID () returned 0xa20409 [0285.692] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.692] ReadFile (in: hFile=0x23c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eef8c*=0x5000, lpOverlapped=0x0) returned 1 [0285.694] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.694] WriteFile (in: hFile=0x23c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eef80*=0x5000, lpOverlapped=0x0) returned 1 [0285.694] GetProcessHeap () returned 0xa10000 [0285.694] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0285.695] CloseHandle (hObject=0x23c) returned 1 [0285.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0285.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0285.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0285.696] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat.log2.nefilim")) returned 1 [0285.697] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.697] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.697] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0285.697] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2=".") returned 1 [0285.697] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="..") returned 1 [0285.697] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="...") returned 1 [0285.697] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="windows") returned -1 [0285.697] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="rsa") returned -1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="ntldr") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="IO.SYS") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="boot.ini") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="ntuser.dat") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="desktop.ini") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="RECYCLER") returned -1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="bootmgr") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="programdata") returned -1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="appdata") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="program files") returned -1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="program files (x86)") returned -1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="microsoft") returned 1 [0285.698] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="sophos") returned -1 [0285.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbd70 [0285.698] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0285.698] PathFindExtensionW (pszPath="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf") returned=".blf" [0285.698] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0285.698] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".NEFILIM") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0285.699] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0285.699] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.699] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbcc0 [0285.699] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.700] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=65536) returned 1 [0285.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.700] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.700] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0285.700] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0285.700] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.700] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.701] GetTickCount () returned 0x1187879 [0285.701] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe18 [0285.701] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0285.701] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.701] SetLastError (dwErrCode=0x0) [0285.701] WriteFile (in: hFile=0x23c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.702] GetLastError () returned 0x0 [0285.702] GetLastError () returned 0x0 [0285.702] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.702] WriteFile (in: hFile=0x23c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.702] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.702] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd09b304e, dwHighDateTime=0x1d5fd73)) [0285.703] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe18 [0285.703] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0285.703] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.703] GetProcessHeap () returned 0xa10000 [0285.703] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x10000) returned 0xa3e6a0 [0285.703] GetSystemDefaultLangID () returned 0xa20409 [0285.703] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.703] ReadFile (in: hFile=0x23c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eef8c*=0x10000, lpOverlapped=0x0) returned 1 [0285.708] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.708] WriteFile (in: hFile=0x23c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eef80*=0x10000, lpOverlapped=0x0) returned 1 [0285.709] GetProcessHeap () returned 0xa10000 [0285.709] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0285.709] CloseHandle (hObject=0x23c) returned 1 [0285.712] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0285.712] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.712] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.712] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbe18 [0285.712] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf.nefilim")) returned 1 [0285.713] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0285.713] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.713] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0285.713] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="microsoft") returned 1 [0285.714] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="sophos") returned -1 [0285.714] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbe18 [0285.714] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0285.714] PathFindExtensionW (pszPath="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0285.714] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0285.714] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0285.715] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0285.715] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0285.715] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.715] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbcc0 [0285.715] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.716] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=524288) returned 1 [0285.716] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0285.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.717] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0285.717] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0285.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0285.717] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.717] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.718] GetTickCount () returned 0x1187889 [0285.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbda8 [0285.718] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.718] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.718] SetLastError (dwErrCode=0x0) [0285.718] WriteFile (in: hFile=0x23c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.719] GetLastError () returned 0x0 [0285.719] GetLastError () returned 0x0 [0285.719] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.719] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.719] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.719] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd09d919f, dwHighDateTime=0x1d5fd73)) [0285.719] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda8 [0285.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.719] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.720] GetProcessHeap () returned 0xa10000 [0285.720] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x80000) returned 0xc11020 [0285.722] GetSystemDefaultLangID () returned 0xa20409 [0285.722] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.722] ReadFile (in: hFile=0x23c, lpBuffer=0xc11020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xc11020*, lpNumberOfBytesRead=0x26eef8c*=0x80000, lpOverlapped=0x0) returned 1 [0285.763] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.763] WriteFile (in: hFile=0x23c, lpBuffer=0xc11020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xc11020*, lpNumberOfBytesWritten=0x26eef80*=0x80000, lpOverlapped=0x0) returned 1 [0285.765] GetProcessHeap () returned 0xa10000 [0285.765] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xc11020 | out: hHeap=0xa10000) returned 1 [0285.769] CloseHandle (hObject=0x23c) returned 1 [0285.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0285.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0285.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.784] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de318 [0285.784] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms.nefilim")) returned 1 [0285.785] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.785] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.785] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0285.786] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="microsoft") returned 1 [0285.786] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="sophos") returned -1 [0285.786] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbcc0 [0285.786] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0285.786] PathFindExtensionW (pszPath="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0285.786] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0285.787] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0285.787] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.787] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbda8 [0285.787] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.787] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=524288) returned 1 [0285.788] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.788] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.788] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.788] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.788] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0285.788] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0285.788] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.788] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.789] GetTickCount () returned 0x11878d7 [0285.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe90 [0285.789] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.789] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.789] SetLastError (dwErrCode=0x0) [0285.790] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.790] GetLastError () returned 0x0 [0285.791] GetLastError () returned 0x0 [0285.791] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.791] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.791] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.791] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd0a97fa0, dwHighDateTime=0x1d5fd73)) [0285.791] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0285.791] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.791] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.791] GetProcessHeap () returned 0xa10000 [0285.791] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x80000) returned 0xc18020 [0285.793] GetSystemDefaultLangID () returned 0xa20409 [0285.793] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.793] ReadFile (in: hFile=0x23c, lpBuffer=0xc18020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xc18020*, lpNumberOfBytesRead=0x26eef8c*=0x80000, lpOverlapped=0x0) returned 1 [0285.827] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.828] WriteFile (in: hFile=0x23c, lpBuffer=0xc18020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xc18020*, lpNumberOfBytesWritten=0x26eef80*=0x80000, lpOverlapped=0x0) returned 1 [0285.829] GetProcessHeap () returned 0xa10000 [0285.829] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xc18020 | out: hHeap=0xa10000) returned 1 [0285.832] CloseHandle (hObject=0x23c) returned 1 [0285.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0285.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0285.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de318 [0285.844] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms.nefilim")) returned 1 [0285.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0285.845] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="...") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="rsa") returned -1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntldr") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="IO.SYS") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot.ini") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntuser.dat") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="desktop.ini") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="RECYCLER") returned -1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="programdata") returned -1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="appdata") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files") returned -1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files (x86)") returned -1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="microsoft") returned 1 [0285.845] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="sophos") returned -1 [0285.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbda8 [0285.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.846] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned=".blf" [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0285.846] lstrcmpiW (lpString1=".blf", lpString2=".NEFILIM") returned -1 [0285.847] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0285.847] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0285.847] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dbe50 [0285.847] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.848] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=65536) returned 1 [0285.848] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.848] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.848] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.848] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.848] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0285.848] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0285.848] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.851] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.852] GetTickCount () returned 0x1187916 [0285.852] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0285.852] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.852] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.853] SetLastError (dwErrCode=0x0) [0285.853] WriteFile (in: hFile=0x23c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.854] GetLastError () returned 0x0 [0285.854] GetLastError () returned 0x0 [0285.854] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.854] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.854] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.854] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd0b308ed, dwHighDateTime=0x1d5fd73)) [0285.854] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.854] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.854] GetProcessHeap () returned 0xa10000 [0285.854] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x10000) returned 0xa3e6a0 [0285.854] GetSystemDefaultLangID () returned 0xa20409 [0285.854] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.855] ReadFile (in: hFile=0x23c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eef8c*=0x10000, lpOverlapped=0x0) returned 1 [0285.859] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.859] WriteFile (in: hFile=0x23c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eef80*=0x10000, lpOverlapped=0x0) returned 1 [0285.859] GetProcessHeap () returned 0xa10000 [0285.859] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0285.859] CloseHandle (hObject=0x23c) returned 1 [0285.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0285.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.859] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.859] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dbcc0 [0285.859] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf.nefilim")) returned 1 [0285.860] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.860] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0285.860] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0285.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0285.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0285.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="microsoft") returned 1 [0285.861] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="sophos") returned -1 [0285.861] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbcc0 [0285.861] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.861] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0285.861] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28d12e8 [0285.861] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0285.861] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0285.861] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0285.861] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0285.861] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0285.862] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0285.862] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.862] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbda8 [0285.862] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.863] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=524288) returned 1 [0285.863] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0285.863] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0285.863] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0285.863] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0285.863] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0285.863] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0285.863] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.864] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.866] GetTickCount () returned 0x1187925 [0285.866] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe90 [0285.866] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.866] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.866] SetLastError (dwErrCode=0x0) [0285.866] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.867] GetLastError () returned 0x0 [0285.867] GetLastError () returned 0x0 [0285.867] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.867] WriteFile (in: hFile=0x23c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.868] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.868] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd0b569e9, dwHighDateTime=0x1d5fd73)) [0285.868] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0285.868] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.868] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.868] GetProcessHeap () returned 0xa10000 [0285.868] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x80000) returned 0xc1b020 [0285.870] GetSystemDefaultLangID () returned 0xa20409 [0285.870] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.870] ReadFile (in: hFile=0x23c, lpBuffer=0xc1b020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xc1b020*, lpNumberOfBytesRead=0x26eef8c*=0x80000, lpOverlapped=0x0) returned 1 [0285.913] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.914] WriteFile (in: hFile=0x23c, lpBuffer=0xc1b020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xc1b020*, lpNumberOfBytesWritten=0x26eef80*=0x80000, lpOverlapped=0x0) returned 1 [0285.915] GetProcessHeap () returned 0xa10000 [0285.916] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xc1b020 | out: hHeap=0xa10000) returned 1 [0285.919] CloseHandle (hObject=0x23c) returned 1 [0285.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0285.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0285.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0285.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0285.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de318 [0285.920] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms.nefilim")) returned 1 [0285.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de318 | out: hHeap=0x28d0000) returned 1 [0285.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12e8 | out: hHeap=0x28d0000) returned 1 [0285.921] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0285.921] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="microsoft") returned 1 [0285.922] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="sophos") returned -1 [0285.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbda8 [0285.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.922] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0285.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de638 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0285.922] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0285.922] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0285.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbcc0 [0285.922] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0285.923] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=524288) returned 1 [0285.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0285.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0285.923] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0285.923] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0285.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0285.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0285.923] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eef28*=0x100) returned 1 [0285.924] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0285.924] GetTickCount () returned 0x1187954 [0285.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe90 [0285.924] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.924] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.924] SetLastError (dwErrCode=0x0) [0285.924] WriteFile (in: hFile=0x23c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.926] GetLastError () returned 0x0 [0285.926] GetLastError () returned 0x0 [0285.927] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.927] WriteFile (in: hFile=0x23c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0285.927] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.927] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd0bef499, dwHighDateTime=0x1d5fd73)) [0285.927] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0285.927] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.927] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0285.927] GetProcessHeap () returned 0xa10000 [0285.927] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x80000) returned 0xc14020 [0285.929] GetSystemDefaultLangID () returned 0xa20409 [0285.929] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.929] ReadFile (in: hFile=0x23c, lpBuffer=0xc14020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xc14020*, lpNumberOfBytesRead=0x26eef8c*=0x80000, lpOverlapped=0x0) returned 1 [0285.972] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0285.973] WriteFile (in: hFile=0x23c, lpBuffer=0xc14020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xc14020*, lpNumberOfBytesWritten=0x26eef80*=0x80000, lpOverlapped=0x0) returned 1 [0285.975] GetProcessHeap () returned 0xa10000 [0285.975] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xc14020 | out: hHeap=0xa10000) returned 1 [0285.978] CloseHandle (hObject=0x23c) returned 1 [0285.978] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0285.978] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0285.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0285.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0285.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xf0) returned 0x28de720 [0285.979] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms.nefilim")) returned 1 [0285.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0285.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de638 | out: hHeap=0x28d0000) returned 1 [0285.980] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0285.980] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0285.981] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0285.981] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0285.981] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0285.981] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0285.981] lstrcmpiW (lpString1="Pictures", lpString2="microsoft") returned 1 [0285.981] lstrcmpiW (lpString1="Pictures", lpString2="sophos") returned -1 [0285.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0285.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0285.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.981] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0285.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.981] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0285.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.981] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 0 [0285.982] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0285.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.982] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="$RECYCLE.BIN") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="NTDETECT.COM") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="ntldr") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="MSDOS.SYS") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="IO.SYS") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="boot.ini") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="AUTOEXEC.BAT") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="desktop.ini") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="CONFIG.SYS") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="RECYCLER") returned -1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="BOOTSECT.BAK") returned 1 [0285.982] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0285.983] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0285.983] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0285.983] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0285.983] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0285.983] lstrcmpiW (lpString1="PrintHood", lpString2="microsoft") returned 1 [0285.983] lstrcmpiW (lpString1="PrintHood", lpString2="sophos") returned -1 [0285.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0285.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.983] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="", cAlternateFileName="ɮ⊺\x01봈ʍ변ʍ6")) returned 0xffffffff [0285.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.983] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0285.983] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0285.983] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0285.983] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="$RECYCLE.BIN") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="NTDETECT.COM") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="ntldr") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="MSDOS.SYS") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="IO.SYS") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="boot.ini") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="AUTOEXEC.BAT") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="desktop.ini") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="CONFIG.SYS") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="RECYCLER") returned -1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="BOOTSECT.BAK") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="microsoft") returned 1 [0285.984] lstrcmpiW (lpString1="Recent", lpString2="sophos") returned -1 [0285.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd08 [0285.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28dbd40 [0285.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0285.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdd8 [0285.985] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x2f00002f, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뵀ʍ0")) returned 0xffffffff [0285.985] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0285.985] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0285.985] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.985] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="$RECYCLE.BIN") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="NTDETECT.COM") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="ntldr") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="MSDOS.SYS") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="IO.SYS") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="boot.ini") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="AUTOEXEC.BAT") returned 1 [0285.985] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="desktop.ini") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="CONFIG.SYS") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="RECYCLER") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="BOOTSECT.BAK") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="microsoft") returned 1 [0285.986] lstrcmpiW (lpString1="Saved Games", lpString2="sophos") returned -1 [0285.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0285.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0285.986] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0285.986] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.986] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0285.987] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.987] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.987] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 0 [0285.987] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0285.987] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.987] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.987] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.987] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="$RECYCLE.BIN") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="NTDETECT.COM") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="ntldr") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="MSDOS.SYS") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="IO.SYS") returned 1 [0285.987] lstrcmpiW (lpString1="SendTo", lpString2="boot.ini") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="AUTOEXEC.BAT") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="desktop.ini") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="CONFIG.SYS") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="RECYCLER") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="BOOTSECT.BAK") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="microsoft") returned 1 [0285.988] lstrcmpiW (lpString1="SendTo", lpString2="sophos") returned -1 [0285.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd08 [0285.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28dbd40 [0285.988] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.988] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0285.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdd8 [0285.988] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x2f00002f, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ뵀ʍ0")) returned 0xffffffff [0285.989] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0285.989] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0285.989] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.989] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0285.989] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0285.990] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0285.990] lstrcmpiW (lpString1="Start Menu", lpString2="microsoft") returned 1 [0285.990] lstrcmpiW (lpString1="Start Menu", lpString2="sophos") returned 1 [0285.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd40 | out: hHeap=0x28d0000) returned 1 [0285.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.990] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.990] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x2f00002f, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="", cAlternateFileName="ɮ⊺\x01봈ʍ변ʍ8")) returned 0xffffffff [0285.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.990] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.990] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0285.990] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="microsoft") returned 1 [0285.991] lstrcmpiW (lpString1="Templates", lpString2="sophos") returned 1 [0285.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.991] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0285.991] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0285.991] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x37000037, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍ봈ʍ6")) returned 0xffffffff [0285.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0285.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.992] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0285.992] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0285.993] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0285.993] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0285.993] lstrcmpiW (lpString1="Videos", lpString2="microsoft") returned 1 [0285.993] lstrcmpiW (lpString1="Videos", lpString2="sophos") returned 1 [0285.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0285.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28dbd50 [0285.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0285.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0285.993] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f320 [0285.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0285.993] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0285.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0285.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0285.993] FindNextFileW (in: hFindFile=0xa2f320, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 0 [0285.993] FindClose (in: hFindFile=0xa2f320 | out: hFindFile=0xa2f320) returned 1 [0285.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0285.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0285.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.994] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0285.994] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0285.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0285.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0285.994] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0285.994] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="...") returned 1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="windows") returned -1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="$RECYCLE.BIN") returned 1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="rsa") returned -1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="NTDETECT.COM") returned -1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="ntldr") returned -1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="MSDOS.SYS") returned -1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="IO.SYS") returned -1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="boot.ini") returned 1 [0285.994] lstrcmpiW (lpString1="Default User", lpString2="AUTOEXEC.BAT") returned 1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="ntuser.dat") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="desktop.ini") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="CONFIG.SYS") returned 1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="RECYCLER") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="BOOTSECT.BAK") returned 1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="bootmgr") returned 1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="programdata") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="appdata") returned 1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="program files") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="program files (x86)") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="microsoft") returned -1 [0285.995] lstrcmpiW (lpString1="Default User", lpString2="sophos") returned -1 [0285.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0285.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0285.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0285.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0285.995] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.995] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2000002, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0xd00000d, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01ᒸʍቸʍ,")) returned 0xffffffff [0285.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0285.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0285.995] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0285.995] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2=".") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="..") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="...") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="windows") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="$RECYCLE.BIN") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="rsa") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="NTDETECT.COM") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="ntldr") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="MSDOS.SYS") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="IO.SYS") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="boot.ini") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="AUTOEXEC.BAT") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="ntuser.dat") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="desktop.ini") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="CONFIG.SYS") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="RECYCLER") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="BOOTSECT.BAK") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="bootmgr") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="programdata") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="appdata") returned 1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="program files") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="program files (x86)") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="microsoft") returned -1 [0285.996] lstrcmpiW (lpString1="Default.migrated", lpString2="sophos") returned -1 [0285.996] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0285.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0285.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0285.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0285.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0285.997] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f9e0 [0286.000] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.000] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.000] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.000] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.000] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0286.001] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0286.001] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0286.001] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0286.001] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0286.001] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0286.001] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0286.002] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0286.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd08 [0286.002] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0286.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd60 [0286.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdb8 [0286.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe10 [0286.003] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f4a0 [0286.006] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.006] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.006] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.006] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.006] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0286.006] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0286.007] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0286.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe68 [0286.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0286.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0286.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de788 [0286.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de7f0 [0286.007] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\My Music\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff6cd8, ftCreationTime.dwHighDateTime=0xf00003f3, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01ʍ빨ʍZ")) returned 0xffffffff [0286.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f0 | out: hHeap=0x28d0000) returned 1 [0286.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0286.008] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.008] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0286.008] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0286.009] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0286.009] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0286.009] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0286.009] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0286.009] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0286.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0286.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x8e) returned 0x28de788 [0286.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe10 [0286.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe88 [0286.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de820 [0286.009] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\My Pictures\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff6cd8, ftCreationTime.dwHighDateTime=0xf90000f9, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xf00003f3, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="", cAlternateFileName="ɮ⊺\x01븐ʍʍ`")) returned 0xffffffff [0286.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0286.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe88 | out: hHeap=0x28d0000) returned 1 [0286.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0286.009] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0286.009] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0286.009] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0286.010] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0286.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0286.010] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0286.011] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe10 [0286.011] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe78 [0286.011] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de788 [0286.011] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\My Videos\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff6cd8, ftCreationTime.dwHighDateTime=0xd00010c, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xf00003f3, nFileSizeHigh=0x28d0000, nFileSizeLow=0x1f00001f, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="", cAlternateFileName="ɮ⊺\x01븐ʍʍ\\")) returned 0xffffffff [0286.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0286.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe78 | out: hHeap=0x28d0000) returned 1 [0286.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe10 | out: hHeap=0x28d0000) returned 1 [0286.011] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0286.011] FindClose (in: hFindFile=0xa2f4a0 | out: hFindFile=0xa2f4a0) returned 1 [0286.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb8 | out: hHeap=0x28d0000) returned 1 [0286.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd60 | out: hHeap=0x28d0000) returned 1 [0286.012] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0286.012] FindClose (in: hFindFile=0xa2f9e0 | out: hFindFile=0xa2f9e0) returned 1 [0286.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0286.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0286.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0286.013] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0286.013] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0286.013] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2=".") returned 1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="..") returned 1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="...") returned 1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="windows") returned -1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="$RECYCLE.BIN") returned 1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="rsa") returned -1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="NTDETECT.COM") returned -1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="ntldr") returned -1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="MSDOS.SYS") returned -1 [0286.013] lstrcmpiW (lpString1="FD1HVy", lpString2="IO.SYS") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="boot.ini") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="AUTOEXEC.BAT") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="ntuser.dat") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="desktop.ini") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="CONFIG.SYS") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="RECYCLER") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="BOOTSECT.BAK") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="bootmgr") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="programdata") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="appdata") returned 1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="program files") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="program files (x86)") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="microsoft") returned -1 [0286.014] lstrcmpiW (lpString1="FD1HVy", lpString2="sophos") returned -1 [0286.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de408 [0286.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d1278 [0286.014] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de408 | out: hHeap=0x28d0000) returned 1 [0286.014] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0286.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d14b8 [0286.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28d12b0 [0286.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0286.014] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0286.015] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.015] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0286.015] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.015] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.015] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="AppData", cAlternateFileName="")) returned 1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0286.015] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0286.016] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0286.016] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0286.016] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0286.016] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0286.016] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0286.016] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0286.016] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0286.017] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0286.017] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0286.017] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0286.017] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0286.017] lstrcmpiW (lpString1="Application Data", lpString2="microsoft") returned -1 [0286.017] lstrcmpiW (lpString1="Application Data", lpString2="sophos") returned -1 [0286.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcf8 [0286.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0286.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd50 [0286.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda8 [0286.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0286.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Application Data\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x1d32744, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01뵐ʍ본ʍB")) returned 0xffffffff [0286.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0286.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0286.017] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Contacts", cAlternateFileName="")) returned 1 [0286.017] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="...") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="$RECYCLE.BIN") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="rsa") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="NTDETECT.COM") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="ntldr") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="MSDOS.SYS") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="IO.SYS") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="boot.ini") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="AUTOEXEC.BAT") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="ntuser.dat") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="desktop.ini") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="CONFIG.SYS") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="RECYCLER") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="BOOTSECT.BAK") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="bootmgr") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="programdata") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="appdata") returned 1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="program files") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="program files (x86)") returned -1 [0286.018] lstrcmpiW (lpString1="Contacts", lpString2="microsoft") returned -1 [0286.019] lstrcmpiW (lpString1="Contacts", lpString2="sophos") returned -1 [0286.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0286.019] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0286.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0286.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0286.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0286.019] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0286.019] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.019] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.019] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.019] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.019] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0286.019] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0286.019] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0286.019] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0286.019] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0286.019] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0286.020] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0286.020] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0286.020] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0286.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0286.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0286.020] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Cookies", cAlternateFileName="")) returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="$RECYCLE.BIN") returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="NTDETECT.COM") returned -1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="ntldr") returned -1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="MSDOS.SYS") returned -1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="IO.SYS") returned -1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="boot.ini") returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="AUTOEXEC.BAT") returned 1 [0286.020] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="desktop.ini") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="CONFIG.SYS") returned 1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="RECYCLER") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="BOOTSECT.BAK") returned 1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="microsoft") returned -1 [0286.021] lstrcmpiW (lpString1="Cookies", lpString2="sophos") returned -1 [0286.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0286.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28dbcf8 [0286.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0286.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0286.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0286.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0286.021] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbde0 [0286.021] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Cookies\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x2e00002e, nFileSizeHigh=0x28d0000, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x2e00002e, cFileName="", cAlternateFileName="ɮ⊺\x01뵐ʍ본ʍ0")) returned 0xffffffff [0286.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde0 | out: hHeap=0x28d0000) returned 1 [0286.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0286.022] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a8a98d7, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x3a8a98d7, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Desktop", cAlternateFileName="")) returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0286.022] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0286.023] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0286.023] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0286.023] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0286.023] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0286.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbcc0 [0286.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28dbd50 [0286.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0286.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcf8 | out: hHeap=0x28d0000) returned 1 [0286.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0286.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0286.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0286.023] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a8a98d7, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x3a8a98d7, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f4a0 [0286.023] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.023] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a8a98d7, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0x3a8a98d7, ftLastWriteTime.dwHighDateTime=0x1d5fd73, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0286.023] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.023] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.023] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc0e80, ftCreationTime.dwHighDateTime=0x1d5e2e2, ftLastAccessTime.dwLowDateTime=0xa985de90, ftLastAccessTime.dwHighDateTime=0x1d5f08f, ftLastWriteTime.dwLowDateTime=0xa985de90, ftLastWriteTime.dwHighDateTime=0x1d5f08f, nFileSizeHigh=0x0, nFileSizeLow=0xf5e9, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="-Styu5M.ods", cAlternateFileName="")) returned 1 [0286.023] lstrcmpiW (lpString1="-Styu5M.ods", lpString2=".") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="..") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="...") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="windows") returned -1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="$RECYCLE.BIN") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="rsa") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="NTDETECT.COM") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="ntldr") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="MSDOS.SYS") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="IO.SYS") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="boot.ini") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="AUTOEXEC.BAT") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="ntuser.dat") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="desktop.ini") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="CONFIG.SYS") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="RECYCLER") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="BOOTSECT.BAK") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="bootmgr") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="programdata") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="appdata") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="program files") returned 1 [0286.024] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="program files (x86)") returned 1 [0286.025] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="microsoft") returned 1 [0286.025] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="sophos") returned 1 [0286.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbde8 [0286.025] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.025] PathFindExtensionW (pszPath="-Styu5M.ods") returned=".ods" [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0286.025] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0286.026] lstrcmpiW (lpString1=".ods", lpString2=".NEFILIM") returned 1 [0286.026] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0286.026] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0286.026] lstrcmpiW (lpString1="-Styu5M.ods", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe40 [0286.026] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\-Styu5M.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\-styu5m.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.026] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=62953) returned 1 [0286.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.026] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.026] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.026] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.028] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.030] GetTickCount () returned 0x11879c2 [0286.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbda0 [0286.030] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.030] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf5e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.030] SetLastError (dwErrCode=0x0) [0286.030] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.031] GetLastError () returned 0x0 [0286.031] GetLastError () returned 0x0 [0286.031] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf6e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.031] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.031] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf7e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.032] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0cd42c0, dwHighDateTime=0x1d5fd73)) [0286.032] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0286.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.032] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.032] GetProcessHeap () returned 0xa10000 [0286.032] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf5e9) returned 0xa3e6a0 [0286.032] GetSystemDefaultLangID () returned 0xa20409 [0286.032] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.032] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xf5e9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xf5e9, lpOverlapped=0x0) returned 1 [0286.037] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.037] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xf5e9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xf5e9, lpOverlapped=0x0) returned 1 [0286.038] GetProcessHeap () returned 0xa10000 [0286.038] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.038] CloseHandle (hObject=0x26c) returned 1 [0286.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe98 [0286.039] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\-Styu5M.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\-styu5m.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\-Styu5M.ods.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\-styu5m.ods.nefilim")) returned 1 [0286.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe98 | out: hHeap=0x28d0000) returned 1 [0286.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0286.041] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x653e460, ftCreationTime.dwHighDateTime=0x1d5e649, ftLastAccessTime.dwLowDateTime=0xf62c60c0, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0xf62c60c0, ftLastWriteTime.dwHighDateTime=0x1d5eb67, nFileSizeHigh=0x0, nFileSizeLow=0x9fd9, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="2-lG4TKHW-k Hj4jFMX.png", cAlternateFileName="2-LG4T~1.PNG")) returned 1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2=".") returned 1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="..") returned 1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="...") returned 1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="windows") returned -1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="$RECYCLE.BIN") returned 1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="rsa") returned -1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="NTDETECT.COM") returned -1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="ntldr") returned -1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="MSDOS.SYS") returned -1 [0286.041] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="IO.SYS") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="boot.ini") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="AUTOEXEC.BAT") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="ntuser.dat") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="desktop.ini") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="CONFIG.SYS") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="RECYCLER") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="BOOTSECT.BAK") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="bootmgr") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="programdata") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="appdata") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="program files") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="program files (x86)") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="microsoft") returned -1 [0286.042] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="sophos") returned -1 [0286.042] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe40 [0286.042] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde8 | out: hHeap=0x28d0000) returned 1 [0286.042] PathFindExtensionW (pszPath="2-lG4TKHW-k Hj4jFMX.png") returned=".png" [0286.042] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0286.042] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0286.042] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0286.043] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0286.043] lstrcmpiW (lpString1="2-lG4TKHW-k Hj4jFMX.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.043] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.043] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\2-lG4TKHW-k Hj4jFMX.png" (normalized: "c:\\users\\fd1hvy\\desktop\\2-lg4tkhw-k hj4jfmx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.044] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=40921) returned 1 [0286.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.044] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.044] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.044] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.046] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.047] GetTickCount () returned 0x11879d1 [0286.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe08 [0286.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9fd9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.048] SetLastError (dwErrCode=0x0) [0286.048] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.049] GetLastError () returned 0x0 [0286.049] GetLastError () returned 0x0 [0286.049] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa0d9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.049] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.049] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa1d9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.050] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0d20683, dwHighDateTime=0x1d5fd73)) [0286.050] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea8 [0286.050] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea8 | out: hHeap=0x28d0000) returned 1 [0286.050] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.050] GetProcessHeap () returned 0xa10000 [0286.050] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9fd9) returned 0xa3e6a0 [0286.050] GetSystemDefaultLangID () returned 0xa20409 [0286.050] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.050] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x9fd9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x9fd9, lpOverlapped=0x0) returned 1 [0286.053] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.053] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x9fd9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x9fd9, lpOverlapped=0x0) returned 1 [0286.053] GetProcessHeap () returned 0xa10000 [0286.053] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.053] CloseHandle (hObject=0x26c) returned 1 [0286.054] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.055] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.055] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.055] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\2-lG4TKHW-k Hj4jFMX.png" (normalized: "c:\\users\\fd1hvy\\desktop\\2-lg4tkhw-k hj4jfmx.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\2-lG4TKHW-k Hj4jFMX.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\2-lg4tkhw-k hj4jfmx.png.nefilim")) returned 1 [0286.056] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.056] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.056] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d37c10, ftCreationTime.dwHighDateTime=0x1d5e17e, ftLastAccessTime.dwLowDateTime=0xa662ebc0, ftLastAccessTime.dwHighDateTime=0x1d5e3ee, ftLastWriteTime.dwLowDateTime=0xa662ebc0, ftLastWriteTime.dwHighDateTime=0x1d5e3ee, nFileSizeHigh=0x0, nFileSizeLow=0x132a9, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="2hSh8U.m4a", cAlternateFileName="")) returned 1 [0286.056] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2=".") returned 1 [0286.056] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="..") returned 1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="...") returned 1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="windows") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="$RECYCLE.BIN") returned 1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="rsa") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="NTDETECT.COM") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="ntldr") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="MSDOS.SYS") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="IO.SYS") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="boot.ini") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="ntuser.dat") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="desktop.ini") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="CONFIG.SYS") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="RECYCLER") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="BOOTSECT.BAK") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="bootmgr") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="programdata") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="appdata") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="program files") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="program files (x86)") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="microsoft") returned -1 [0286.057] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="sophos") returned -1 [0286.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbea8 [0286.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0286.057] PathFindExtensionW (pszPath="2hSh8U.m4a") returned=".m4a" [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0286.058] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0286.058] lstrcmpiW (lpString1="2hSh8U.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.058] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.058] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\2hSh8U.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\2hsh8u.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.059] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=78505) returned 1 [0286.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0286.059] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.059] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0286.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0286.059] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.059] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.061] GetTickCount () returned 0x11879e1 [0286.061] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbdf8 [0286.061] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.061] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x132a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.061] SetLastError (dwErrCode=0x0) [0286.061] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.062] GetLastError () returned 0x0 [0286.062] GetLastError () returned 0x0 [0286.062] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x133a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.062] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.063] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x134a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.063] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0d20683, dwHighDateTime=0x1d5fd73)) [0286.063] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdf8 [0286.063] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.063] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.063] GetProcessHeap () returned 0xa10000 [0286.063] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x132a9) returned 0xa3e6a0 [0286.064] GetSystemDefaultLangID () returned 0xa20409 [0286.064] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.064] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x132a9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x132a9, lpOverlapped=0x0) returned 1 [0286.071] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.071] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x132a9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x132a9, lpOverlapped=0x0) returned 1 [0286.071] GetProcessHeap () returned 0xa10000 [0286.071] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.072] CloseHandle (hObject=0x26c) returned 1 [0286.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0286.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.073] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0286.073] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.073] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\2hSh8U.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\2hsh8u.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\2hSh8U.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\2hsh8u.m4a.nefilim")) returned 1 [0286.074] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.074] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.075] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8df624b0, ftCreationTime.dwHighDateTime=0x1d5e864, ftLastAccessTime.dwLowDateTime=0x69170410, ftLastAccessTime.dwHighDateTime=0x1d5e617, ftLastWriteTime.dwLowDateTime=0x69170410, ftLastWriteTime.dwHighDateTime=0x1d5e617, nFileSizeHigh=0x0, nFileSizeLow=0x5cac, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="3mycj_ndu3kK1nTyAtp.mkv", cAlternateFileName="3MYCJ_~1.MKV")) returned 1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2=".") returned 1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="..") returned 1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="...") returned 1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="windows") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="$RECYCLE.BIN") returned 1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="rsa") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="NTDETECT.COM") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="ntldr") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="MSDOS.SYS") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="IO.SYS") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="boot.ini") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="ntuser.dat") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="desktop.ini") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="CONFIG.SYS") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="RECYCLER") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="BOOTSECT.BAK") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="bootmgr") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="programdata") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="appdata") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="program files") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="program files (x86)") returned -1 [0286.075] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="microsoft") returned -1 [0286.076] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="sophos") returned -1 [0286.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.076] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea8 | out: hHeap=0x28d0000) returned 1 [0286.076] PathFindExtensionW (pszPath="3mycj_ndu3kK1nTyAtp.mkv") returned=".mkv" [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0286.076] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0286.076] lstrcmpiW (lpString1="3mycj_ndu3kK1nTyAtp.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.076] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe08 [0286.076] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3mycj_ndu3kK1nTyAtp.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\3mycj_ndu3kk1ntyatp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.077] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=23724) returned 1 [0286.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.077] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.077] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.077] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.077] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.079] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.082] GetTickCount () returned 0x1187a00 [0286.082] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe70 [0286.082] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.082] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5cac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.082] SetLastError (dwErrCode=0x0) [0286.082] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.083] GetLastError () returned 0x0 [0286.083] GetLastError () returned 0x0 [0286.083] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5dac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.084] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.084] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5eac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.084] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0d6cb3f, dwHighDateTime=0x1d5fd73)) [0286.084] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe70 [0286.084] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.084] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.084] GetProcessHeap () returned 0xa10000 [0286.084] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5cac) returned 0xa3e6a0 [0286.085] GetSystemDefaultLangID () returned 0xa20409 [0286.085] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.085] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x5cac, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x5cac, lpOverlapped=0x0) returned 1 [0286.087] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.087] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x5cac, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x5cac, lpOverlapped=0x0) returned 1 [0286.088] GetProcessHeap () returned 0xa10000 [0286.088] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.089] CloseHandle (hObject=0x26c) returned 1 [0286.090] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.090] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.090] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.090] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.090] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0286.090] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\3mycj_ndu3kK1nTyAtp.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\3mycj_ndu3kk1ntyatp.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\3mycj_ndu3kK1nTyAtp.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\3mycj_ndu3kk1ntyatp.mkv.nefilim")) returned 1 [0286.092] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.092] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.092] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e21520, ftCreationTime.dwHighDateTime=0x1d5e7b6, ftLastAccessTime.dwLowDateTime=0xcacf0470, ftLastAccessTime.dwHighDateTime=0x1d5eb0b, ftLastWriteTime.dwLowDateTime=0xcacf0470, ftLastWriteTime.dwHighDateTime=0x1d5eb0b, nFileSizeHigh=0x0, nFileSizeLow=0x135ec, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="3NIDkWq0vJc7EBs.csv", cAlternateFileName="3NIDKW~1.CSV")) returned 1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2=".") returned 1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="..") returned 1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="...") returned 1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="windows") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="$RECYCLE.BIN") returned 1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="rsa") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="NTDETECT.COM") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="ntldr") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="MSDOS.SYS") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="IO.SYS") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="boot.ini") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="AUTOEXEC.BAT") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="ntuser.dat") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="desktop.ini") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="CONFIG.SYS") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="RECYCLER") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="BOOTSECT.BAK") returned -1 [0286.092] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="bootmgr") returned -1 [0286.093] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="programdata") returned -1 [0286.093] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="appdata") returned -1 [0286.093] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="program files") returned -1 [0286.093] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="program files (x86)") returned -1 [0286.093] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="microsoft") returned -1 [0286.093] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="sophos") returned -1 [0286.093] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe08 [0286.093] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.093] PathFindExtensionW (pszPath="3NIDkWq0vJc7EBs.csv") returned=".csv" [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0286.093] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0286.094] lstrcmpiW (lpString1="3NIDkWq0vJc7EBs.csv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.094] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3NIDkWq0vJc7EBs.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\3nidkwq0vjc7ebs.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.094] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=79340) returned 1 [0286.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0286.094] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.094] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0286.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.094] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.094] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.097] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.097] GetTickCount () returned 0x1187a10 [0286.097] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe70 [0286.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.097] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x135ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.097] SetLastError (dwErrCode=0x0) [0286.097] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.098] GetLastError () returned 0x0 [0286.098] GetLastError () returned 0x0 [0286.098] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x136ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.099] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.099] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x137ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.099] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0d92d1c, dwHighDateTime=0x1d5fd73)) [0286.099] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe70 [0286.099] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.099] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.099] GetProcessHeap () returned 0xa10000 [0286.099] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x135ec) returned 0xa3e6a0 [0286.099] GetSystemDefaultLangID () returned 0xa20409 [0286.100] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.100] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x135ec, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x135ec, lpOverlapped=0x0) returned 1 [0286.105] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.105] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x135ec, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x135ec, lpOverlapped=0x0) returned 1 [0286.106] GetProcessHeap () returned 0xa10000 [0286.106] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.106] CloseHandle (hObject=0x26c) returned 1 [0286.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0286.107] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0286.108] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\3NIDkWq0vJc7EBs.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\3nidkwq0vjc7ebs.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\3NIDkWq0vJc7EBs.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\3nidkwq0vjc7ebs.csv.nefilim")) returned 1 [0286.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.109] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf419a20, ftCreationTime.dwHighDateTime=0x1d5e2c9, ftLastAccessTime.dwLowDateTime=0x66216ce0, ftLastAccessTime.dwHighDateTime=0x1d5e95b, ftLastWriteTime.dwLowDateTime=0x66216ce0, ftLastWriteTime.dwHighDateTime=0x1d5e95b, nFileSizeHigh=0x0, nFileSizeLow=0x1528f, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="4vaOnlg8Ucovmt.flv", cAlternateFileName="4VAONL~1.FLV")) returned 1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2=".") returned 1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="..") returned 1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="...") returned 1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="windows") returned -1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="$RECYCLE.BIN") returned 1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="rsa") returned -1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="NTDETECT.COM") returned -1 [0286.109] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="ntldr") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="MSDOS.SYS") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="IO.SYS") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="boot.ini") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="AUTOEXEC.BAT") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="ntuser.dat") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="desktop.ini") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="CONFIG.SYS") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="RECYCLER") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="BOOTSECT.BAK") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="bootmgr") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="programdata") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="appdata") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="program files") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="program files (x86)") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="microsoft") returned -1 [0286.110] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="sophos") returned -1 [0286.110] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.110] PathFindExtensionW (pszPath="4vaOnlg8Ucovmt.flv") returned=".flv" [0286.110] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0286.110] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0286.110] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0286.110] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0286.110] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0286.111] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0286.111] lstrcmpiW (lpString1="4vaOnlg8Ucovmt.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe08 [0286.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\4vaOnlg8Ucovmt.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\4vaonlg8ucovmt.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.111] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=86671) returned 1 [0286.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0286.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.112] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0286.112] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.112] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.114] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.116] GetTickCount () returned 0x1187a1f [0286.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe70 [0286.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.116] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1528f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.116] SetLastError (dwErrCode=0x0) [0286.116] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.117] GetLastError () returned 0x0 [0286.118] GetLastError () returned 0x0 [0286.118] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1538f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.118] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.118] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1548f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0db8fe7, dwHighDateTime=0x1d5fd73)) [0286.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe70 [0286.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.118] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.118] GetProcessHeap () returned 0xa10000 [0286.118] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1528f) returned 0xa3e6a0 [0286.118] GetSystemDefaultLangID () returned 0xa20409 [0286.118] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.118] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1528f, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1528f, lpOverlapped=0x0) returned 1 [0286.124] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.124] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1528f, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1528f, lpOverlapped=0x0) returned 1 [0286.125] GetProcessHeap () returned 0xa10000 [0286.125] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.125] CloseHandle (hObject=0x26c) returned 1 [0286.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0286.126] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0286.126] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\4vaOnlg8Ucovmt.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\4vaonlg8ucovmt.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\4vaOnlg8Ucovmt.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\4vaonlg8ucovmt.flv.nefilim")) returned 1 [0286.128] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.128] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.128] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa306d5f0, ftCreationTime.dwHighDateTime=0x1d5e221, ftLastAccessTime.dwLowDateTime=0xc1a8ccf0, ftLastAccessTime.dwHighDateTime=0x1d5ea0c, ftLastWriteTime.dwLowDateTime=0xc1a8ccf0, ftLastWriteTime.dwHighDateTime=0x1d5ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15518, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="6lR9UWbIqBPF.gif", cAlternateFileName="6LR9UW~1.GIF")) returned 1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2=".") returned 1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="..") returned 1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="...") returned 1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="windows") returned -1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="$RECYCLE.BIN") returned 1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="rsa") returned -1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="NTDETECT.COM") returned -1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="ntldr") returned -1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="MSDOS.SYS") returned -1 [0286.128] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="IO.SYS") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="boot.ini") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="AUTOEXEC.BAT") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="ntuser.dat") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="desktop.ini") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="CONFIG.SYS") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="RECYCLER") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="BOOTSECT.BAK") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="bootmgr") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="programdata") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="appdata") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="program files") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="program files (x86)") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="microsoft") returned -1 [0286.129] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="sophos") returned -1 [0286.129] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe08 [0286.129] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.129] PathFindExtensionW (pszPath="6lR9UWbIqBPF.gif") returned=".gif" [0286.129] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0286.129] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0286.129] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0286.129] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0286.129] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0286.129] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0286.130] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0286.130] lstrcmpiW (lpString1="6lR9UWbIqBPF.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.130] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\6lR9UWbIqBPF.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\6lr9uwbiqbpf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.130] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=87320) returned 1 [0286.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.130] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.130] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.131] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.131] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.131] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.133] GetTickCount () returned 0x1187a2f [0286.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe70 [0286.133] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.133] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15518, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.133] SetLastError (dwErrCode=0x0) [0286.133] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.134] GetLastError () returned 0x0 [0286.134] GetLastError () returned 0x0 [0286.134] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15618, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.134] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.134] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15718, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.135] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0ddf20e, dwHighDateTime=0x1d5fd73)) [0286.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe70 [0286.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.135] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.135] GetProcessHeap () returned 0xa10000 [0286.135] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x15518) returned 0xa3e6a0 [0286.136] GetSystemDefaultLangID () returned 0xa20409 [0286.136] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.136] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x15518, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x15518, lpOverlapped=0x0) returned 1 [0286.143] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.143] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x15518, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x15518, lpOverlapped=0x0) returned 1 [0286.144] GetProcessHeap () returned 0xa10000 [0286.144] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.144] CloseHandle (hObject=0x26c) returned 1 [0286.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.145] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.146] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0286.146] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\6lR9UWbIqBPF.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\6lr9uwbiqbpf.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\6lR9UWbIqBPF.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\6lr9uwbiqbpf.gif.nefilim")) returned 1 [0286.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.147] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.147] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279f730, ftCreationTime.dwHighDateTime=0x1d5e699, ftLastAccessTime.dwLowDateTime=0x9358ef70, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x9358ef70, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x15b75, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="97vEppsX.pps", cAlternateFileName="")) returned 1 [0286.147] lstrcmpiW (lpString1="97vEppsX.pps", lpString2=".") returned 1 [0286.147] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="..") returned 1 [0286.147] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="...") returned 1 [0286.147] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="windows") returned -1 [0286.147] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="$RECYCLE.BIN") returned 1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="rsa") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="NTDETECT.COM") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="ntldr") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="MSDOS.SYS") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="IO.SYS") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="boot.ini") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="AUTOEXEC.BAT") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="ntuser.dat") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="desktop.ini") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="CONFIG.SYS") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="RECYCLER") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="BOOTSECT.BAK") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="bootmgr") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="programdata") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="appdata") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="program files") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="program files (x86)") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="microsoft") returned -1 [0286.148] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="sophos") returned -1 [0286.148] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.149] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.149] PathFindExtensionW (pszPath="97vEppsX.pps") returned=".pps" [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0286.149] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0286.149] lstrcmpiW (lpString1="97vEppsX.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.149] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.150] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\97vEppsX.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\97veppsx.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.150] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=88949) returned 1 [0286.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.150] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.150] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.150] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.150] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.152] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.154] GetTickCount () returned 0x1187a3f [0286.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.154] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.154] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.154] SetLastError (dwErrCode=0x0) [0286.154] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.155] GetLastError () returned 0x0 [0286.156] GetLastError () returned 0x0 [0286.156] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15c75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.156] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.156] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15d75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.156] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0e0544e, dwHighDateTime=0x1d5fd73)) [0286.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.156] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.156] GetProcessHeap () returned 0xa10000 [0286.156] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x15b75) returned 0xa3e6a0 [0286.156] GetSystemDefaultLangID () returned 0xa20409 [0286.156] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.156] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x15b75, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x15b75, lpOverlapped=0x0) returned 1 [0286.164] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.164] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x15b75, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x15b75, lpOverlapped=0x0) returned 1 [0286.164] GetProcessHeap () returned 0xa10000 [0286.164] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.164] CloseHandle (hObject=0x26c) returned 1 [0286.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.166] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.166] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\97vEppsX.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\97veppsx.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\97vEppsX.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\97veppsx.pps.nefilim")) returned 1 [0286.167] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.167] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.167] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ea160, ftCreationTime.dwHighDateTime=0x1d5eb62, ftLastAccessTime.dwLowDateTime=0x9a180620, ftLastAccessTime.dwHighDateTime=0x1d5e5d8, ftLastWriteTime.dwLowDateTime=0x9a180620, ftLastWriteTime.dwHighDateTime=0x1d5e5d8, nFileSizeHigh=0x0, nFileSizeLow=0x112a9, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="9pYvJcC1FPAGR.m4a", cAlternateFileName="9PYVJC~1.M4A")) returned 1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2=".") returned 1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="..") returned 1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="...") returned 1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="windows") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="$RECYCLE.BIN") returned 1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="rsa") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="NTDETECT.COM") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="ntldr") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="MSDOS.SYS") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="IO.SYS") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="boot.ini") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="ntuser.dat") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="desktop.ini") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="CONFIG.SYS") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="RECYCLER") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="BOOTSECT.BAK") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="bootmgr") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="programdata") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="appdata") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="program files") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="program files (x86)") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="microsoft") returned -1 [0286.168] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="sophos") returned -1 [0286.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.169] PathFindExtensionW (pszPath="9pYvJcC1FPAGR.m4a") returned=".m4a" [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0286.169] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0286.170] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0286.170] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0286.170] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0286.170] lstrcmpiW (lpString1="9pYvJcC1FPAGR.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe60 [0286.170] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9pYvJcC1FPAGR.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\9pyvjcc1fpagr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.170] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=70313) returned 1 [0286.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.171] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.171] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.171] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0286.171] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.171] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.171] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.172] GetTickCount () returned 0x1187a4e [0286.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0286.172] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0286.172] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x112a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.172] SetLastError (dwErrCode=0x0) [0286.172] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.174] GetLastError () returned 0x0 [0286.174] GetLastError () returned 0x0 [0286.174] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x113a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.174] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.174] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x114a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.174] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0e2b786, dwHighDateTime=0x1d5fd73)) [0286.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0286.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.174] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.174] GetProcessHeap () returned 0xa10000 [0286.174] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x112a9) returned 0xa3e6a0 [0286.174] GetSystemDefaultLangID () returned 0xa20409 [0286.174] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.174] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x112a9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x112a9, lpOverlapped=0x0) returned 1 [0286.179] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.179] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x112a9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x112a9, lpOverlapped=0x0) returned 1 [0286.180] GetProcessHeap () returned 0xa10000 [0286.180] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.180] CloseHandle (hObject=0x26c) returned 1 [0286.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0286.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.181] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.181] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\9pYvJcC1FPAGR.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\9pyvjcc1fpagr.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\9pYvJcC1FPAGR.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\9pyvjcc1fpagr.m4a.nefilim")) returned 1 [0286.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0286.183] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4894880, ftCreationTime.dwHighDateTime=0x1d5e50d, ftLastAccessTime.dwLowDateTime=0x7091c750, ftLastAccessTime.dwHighDateTime=0x1d5e2a9, ftLastWriteTime.dwLowDateTime=0x7091c750, ftLastWriteTime.dwHighDateTime=0x1d5e2a9, nFileSizeHigh=0x0, nFileSizeLow=0x16080, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="Am3KoGV-s.jpg", cAlternateFileName="AM3KOG~1.JPG")) returned 1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2=".") returned 1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="..") returned 1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="...") returned 1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="windows") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="$RECYCLE.BIN") returned 1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="rsa") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="NTDETECT.COM") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="ntldr") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="MSDOS.SYS") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="IO.SYS") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="boot.ini") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="ntuser.dat") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="desktop.ini") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="CONFIG.SYS") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="RECYCLER") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="BOOTSECT.BAK") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="bootmgr") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="programdata") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="appdata") returned -1 [0286.183] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="program files") returned -1 [0286.184] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="program files (x86)") returned -1 [0286.184] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="microsoft") returned -1 [0286.184] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="sophos") returned -1 [0286.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.184] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.184] PathFindExtensionW (pszPath="Am3KoGV-s.jpg") returned=".jpg" [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0286.184] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0286.184] lstrcmpiW (lpString1="Am3KoGV-s.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Am3KoGV-s.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\am3kogv-s.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.185] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=90240) returned 1 [0286.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.185] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.185] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0286.185] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.186] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.186] GetTickCount () returned 0x1187a5e [0286.186] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.186] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.186] SetLastError (dwErrCode=0x0) [0286.186] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.187] GetLastError () returned 0x0 [0286.187] GetLastError () returned 0x0 [0286.187] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.188] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.188] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.188] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0e519ca, dwHighDateTime=0x1d5fd73)) [0286.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.188] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.188] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.188] GetProcessHeap () returned 0xa10000 [0286.188] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16080) returned 0xa3e6a0 [0286.188] GetSystemDefaultLangID () returned 0xa20409 [0286.188] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.188] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x16080, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x16080, lpOverlapped=0x0) returned 1 [0286.194] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.194] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x16080, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x16080, lpOverlapped=0x0) returned 1 [0286.195] GetProcessHeap () returned 0xa10000 [0286.195] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.195] CloseHandle (hObject=0x26c) returned 1 [0286.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0286.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.196] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Am3KoGV-s.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\am3kogv-s.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Am3KoGV-s.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\am3kogv-s.jpg.nefilim")) returned 1 [0286.198] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.198] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.198] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93bdd1a0, ftCreationTime.dwHighDateTime=0x1d5e4b2, ftLastAccessTime.dwLowDateTime=0xaedeb150, ftLastAccessTime.dwHighDateTime=0x1d5e680, ftLastWriteTime.dwLowDateTime=0xaedeb150, ftLastWriteTime.dwHighDateTime=0x1d5e680, nFileSizeHigh=0x0, nFileSizeLow=0x7136, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="AT 27uy-C_3.flv", cAlternateFileName="AT27UY~1.FLV")) returned 1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2=".") returned 1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="..") returned 1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="...") returned 1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="windows") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="$RECYCLE.BIN") returned 1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="rsa") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="NTDETECT.COM") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="ntldr") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="MSDOS.SYS") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="IO.SYS") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="boot.ini") returned -1 [0286.198] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="AUTOEXEC.BAT") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="ntuser.dat") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="desktop.ini") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="CONFIG.SYS") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="RECYCLER") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="BOOTSECT.BAK") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="bootmgr") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="programdata") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="appdata") returned 1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="program files") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="program files (x86)") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="microsoft") returned -1 [0286.199] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="sophos") returned -1 [0286.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.199] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.199] PathFindExtensionW (pszPath="AT 27uy-C_3.flv") returned=".flv" [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0286.199] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0286.200] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0286.200] lstrcmpiW (lpString1="AT 27uy-C_3.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.200] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.200] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AT 27uy-C_3.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\at 27uy-c_3.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.200] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=28982) returned 1 [0286.200] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.200] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.200] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.200] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.200] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0286.201] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.202] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.204] GetTickCount () returned 0x1187a6d [0286.204] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.204] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7136, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.204] SetLastError (dwErrCode=0x0) [0286.204] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.261] GetLastError () returned 0x0 [0286.261] GetLastError () returned 0x0 [0286.261] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7236, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.261] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.261] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7336, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.261] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0f10560, dwHighDateTime=0x1d5fd73)) [0286.261] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.261] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.261] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.262] GetProcessHeap () returned 0xa10000 [0286.262] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x7136) returned 0xa3e6a0 [0286.262] GetSystemDefaultLangID () returned 0xa20409 [0286.262] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.262] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x7136, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x7136, lpOverlapped=0x0) returned 1 [0286.264] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.264] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x7136, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x7136, lpOverlapped=0x0) returned 1 [0286.264] GetProcessHeap () returned 0xa10000 [0286.265] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.265] CloseHandle (hObject=0x26c) returned 1 [0286.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0286.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.266] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\AT 27uy-C_3.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\at 27uy-c_3.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\AT 27uy-C_3.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\at 27uy-c_3.flv.nefilim")) returned 1 [0286.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.269] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8ba4f0, ftCreationTime.dwHighDateTime=0x1d5ef52, ftLastAccessTime.dwLowDateTime=0x67a24540, ftLastAccessTime.dwHighDateTime=0x1d5e9c3, ftLastWriteTime.dwLowDateTime=0x67a24540, ftLastWriteTime.dwHighDateTime=0x1d5e9c3, nFileSizeHigh=0x0, nFileSizeLow=0x3a8b, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="AwF8qz5Brvq3noFfks.pps", cAlternateFileName="AWF8QZ~1.PPS")) returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2=".") returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="..") returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="...") returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="windows") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="$RECYCLE.BIN") returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="rsa") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="NTDETECT.COM") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="ntldr") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="MSDOS.SYS") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="IO.SYS") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="boot.ini") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="AUTOEXEC.BAT") returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="ntuser.dat") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="desktop.ini") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="CONFIG.SYS") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="RECYCLER") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="BOOTSECT.BAK") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="bootmgr") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="programdata") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="appdata") returned 1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="program files") returned -1 [0286.269] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="program files (x86)") returned -1 [0286.270] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="microsoft") returned -1 [0286.270] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="sophos") returned -1 [0286.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.270] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.270] PathFindExtensionW (pszPath="AwF8qz5Brvq3noFfks.pps") returned=".pps" [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0286.270] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0286.270] lstrcmpiW (lpString1="AwF8qz5Brvq3noFfks.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.271] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AwF8qz5Brvq3noFfks.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\awf8qz5brvq3noffks.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.271] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=14987) returned 1 [0286.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.271] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.271] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.271] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.272] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.272] GetTickCount () returned 0x1187abc [0286.272] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe08 [0286.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.272] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3a8b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.272] SetLastError (dwErrCode=0x0) [0286.272] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.273] GetLastError () returned 0x0 [0286.273] GetLastError () returned 0x0 [0286.273] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3b8b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.273] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.274] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3c8b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.274] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0f36701, dwHighDateTime=0x1d5fd73)) [0286.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe08 [0286.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.274] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.274] GetProcessHeap () returned 0xa10000 [0286.274] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3a8b) returned 0xa3e6a0 [0286.274] GetSystemDefaultLangID () returned 0xa20409 [0286.274] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.274] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x3a8b, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x3a8b, lpOverlapped=0x0) returned 1 [0286.275] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.275] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x3a8b, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x3a8b, lpOverlapped=0x0) returned 1 [0286.275] GetProcessHeap () returned 0xa10000 [0286.275] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.275] CloseHandle (hObject=0x26c) returned 1 [0286.276] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.276] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.276] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.276] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.276] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.276] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\AwF8qz5Brvq3noFfks.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\awf8qz5brvq3noffks.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\AwF8qz5Brvq3noFfks.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\awf8qz5brvq3noffks.pps.nefilim")) returned 1 [0286.278] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.278] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.278] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0286.278] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0286.279] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0286.279] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef58690, ftCreationTime.dwHighDateTime=0x1d5e631, ftLastAccessTime.dwLowDateTime=0x441cd390, ftLastAccessTime.dwHighDateTime=0x1d5f0be, ftLastWriteTime.dwLowDateTime=0x441cd390, ftLastWriteTime.dwHighDateTime=0x1d5f0be, nFileSizeHigh=0x0, nFileSizeLow=0xe498, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="DMX-BtVBEHy6MQpFQr_s.jpg", cAlternateFileName="DMX-BT~1.JPG")) returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2=".") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="..") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="...") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="windows") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="$RECYCLE.BIN") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="rsa") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="NTDETECT.COM") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="ntldr") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="MSDOS.SYS") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="IO.SYS") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="boot.ini") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="ntuser.dat") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="desktop.ini") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="CONFIG.SYS") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="RECYCLER") returned -1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="BOOTSECT.BAK") returned 1 [0286.279] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="bootmgr") returned 1 [0286.280] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="programdata") returned -1 [0286.280] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="appdata") returned 1 [0286.280] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="program files") returned -1 [0286.280] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="program files (x86)") returned -1 [0286.280] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="microsoft") returned -1 [0286.280] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="sophos") returned -1 [0286.280] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0286.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.280] PathFindExtensionW (pszPath="DMX-BtVBEHy6MQpFQr_s.jpg") returned=".jpg" [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0286.280] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0286.281] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0286.281] lstrcmpiW (lpString1="DMX-BtVBEHy6MQpFQr_s.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.281] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe18 [0286.281] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DMX-BtVBEHy6MQpFQr_s.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\dmx-btvbehy6mqpfqr_s.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.281] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=58520) returned 1 [0286.281] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.281] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.281] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.281] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.281] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.281] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.281] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.282] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.282] GetTickCount () returned 0x1187abc [0286.282] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe90 [0286.282] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0286.282] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe498, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.282] SetLastError (dwErrCode=0x0) [0286.282] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.283] GetLastError () returned 0x0 [0286.283] GetLastError () returned 0x0 [0286.284] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe598, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.284] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.284] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe698, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.284] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0f5c996, dwHighDateTime=0x1d5fd73)) [0286.284] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0286.284] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0286.284] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.284] GetProcessHeap () returned 0xa10000 [0286.284] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe498) returned 0xa3e6a0 [0286.284] GetSystemDefaultLangID () returned 0xa20409 [0286.284] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.284] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xe498, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xe498, lpOverlapped=0x0) returned 1 [0286.288] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.289] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xe498, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xe498, lpOverlapped=0x0) returned 1 [0286.289] GetProcessHeap () returned 0xa10000 [0286.289] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.290] CloseHandle (hObject=0x26c) returned 1 [0286.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.292] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\DMX-BtVBEHy6MQpFQr_s.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\dmx-btvbehy6mqpfqr_s.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\DMX-BtVBEHy6MQpFQr_s.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\dmx-btvbehy6mqpfqr_s.jpg.nefilim")) returned 1 [0286.295] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.295] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0286.295] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa477bb10, ftCreationTime.dwHighDateTime=0x1d5ef06, ftLastAccessTime.dwLowDateTime=0xd3c45bf0, ftLastAccessTime.dwHighDateTime=0x1d5e53b, ftLastWriteTime.dwLowDateTime=0xd3c45bf0, ftLastWriteTime.dwHighDateTime=0x1d5e53b, nFileSizeHigh=0x0, nFileSizeLow=0x1225c, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="DYdst47n1dKy1wzCeyn.flv", cAlternateFileName="DYDST4~1.FLV")) returned 1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2=".") returned 1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="..") returned 1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="...") returned 1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="windows") returned -1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="$RECYCLE.BIN") returned 1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="rsa") returned -1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="NTDETECT.COM") returned -1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="ntldr") returned -1 [0286.295] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="MSDOS.SYS") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="IO.SYS") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="boot.ini") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="AUTOEXEC.BAT") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="ntuser.dat") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="desktop.ini") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="CONFIG.SYS") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="RECYCLER") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="BOOTSECT.BAK") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="bootmgr") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="programdata") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="appdata") returned 1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="program files") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="program files (x86)") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="microsoft") returned -1 [0286.296] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="sophos") returned -1 [0286.296] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe18 [0286.296] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.296] PathFindExtensionW (pszPath="DYdst47n1dKy1wzCeyn.flv") returned=".flv" [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0286.296] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0286.297] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0286.297] lstrcmpiW (lpString1="DYdst47n1dKy1wzCeyn.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DYdst47n1dKy1wzCeyn.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\dydst47n1dky1wzceyn.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.297] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=74332) returned 1 [0286.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.297] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.297] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0286.298] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.300] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.300] GetTickCount () returned 0x1187adb [0286.300] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe80 [0286.300] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0286.300] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1225c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.300] SetLastError (dwErrCode=0x0) [0286.300] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.302] GetLastError () returned 0x0 [0286.302] GetLastError () returned 0x0 [0286.302] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1235c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.302] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.302] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1245c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.302] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0f82c43, dwHighDateTime=0x1d5fd73)) [0286.302] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe80 [0286.302] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0286.302] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.302] GetProcessHeap () returned 0xa10000 [0286.302] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1225c) returned 0xa3e6a0 [0286.302] GetSystemDefaultLangID () returned 0xa20409 [0286.302] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.302] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1225c, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1225c, lpOverlapped=0x0) returned 1 [0286.308] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.308] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1225c, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1225c, lpOverlapped=0x0) returned 1 [0286.308] GetProcessHeap () returned 0xa10000 [0286.308] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.308] CloseHandle (hObject=0x26c) returned 1 [0286.309] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.309] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0286.309] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.309] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe80 [0286.309] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\DYdst47n1dKy1wzCeyn.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\dydst47n1dky1wzceyn.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\DYdst47n1dKy1wzCeyn.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\dydst47n1dky1wzceyn.flv.nefilim")) returned 1 [0286.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0286.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.310] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfb82160, ftCreationTime.dwHighDateTime=0x1d5e1c5, ftLastAccessTime.dwLowDateTime=0x162ac390, ftLastAccessTime.dwHighDateTime=0x1d5e275, ftLastWriteTime.dwLowDateTime=0x162ac390, ftLastWriteTime.dwHighDateTime=0x1d5e275, nFileSizeHigh=0x0, nFileSizeLow=0xf0fb, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="D_fVQObLZTfwZm jgWSJ.xlsx", cAlternateFileName="D_FVQO~1.XLS")) returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2=".") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="..") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="...") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="windows") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="rsa") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="NTDETECT.COM") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="ntldr") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="MSDOS.SYS") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="IO.SYS") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="boot.ini") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="ntuser.dat") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="desktop.ini") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="CONFIG.SYS") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="RECYCLER") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="bootmgr") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="programdata") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="appdata") returned 1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="program files") returned -1 [0286.310] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="program files (x86)") returned -1 [0286.311] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="microsoft") returned -1 [0286.311] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="sophos") returned -1 [0286.311] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0286.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0286.311] PathFindExtensionW (pszPath="D_fVQObLZTfwZm jgWSJ.xlsx") returned=".xlsx" [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0286.311] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0286.311] lstrcmpiW (lpString1="D_fVQObLZTfwZm jgWSJ.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.311] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe18 [0286.311] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\D_fVQObLZTfwZm jgWSJ.xlsx" (normalized: "c:\\users\\fd1hvy\\desktop\\d_fvqoblztfwzm jgwsj.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.312] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=61691) returned 1 [0286.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.312] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.312] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0286.312] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.314] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.316] GetTickCount () returned 0x1187aea [0286.316] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe90 [0286.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0286.317] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf0fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.317] SetLastError (dwErrCode=0x0) [0286.317] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.318] GetLastError () returned 0x0 [0286.318] GetLastError () returned 0x0 [0286.318] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf1fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.318] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.318] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf2fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.318] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd0fa8e18, dwHighDateTime=0x1d5fd73)) [0286.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0286.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0286.318] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.318] GetProcessHeap () returned 0xa10000 [0286.318] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf0fb) returned 0xa3e6a0 [0286.318] GetSystemDefaultLangID () returned 0xa20409 [0286.318] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.318] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xf0fb, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xf0fb, lpOverlapped=0x0) returned 1 [0286.323] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.323] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xf0fb, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xf0fb, lpOverlapped=0x0) returned 1 [0286.324] GetProcessHeap () returned 0xa10000 [0286.324] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.324] CloseHandle (hObject=0x26c) returned 1 [0286.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0286.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.325] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\D_fVQObLZTfwZm jgWSJ.xlsx" (normalized: "c:\\users\\fd1hvy\\desktop\\d_fvqoblztfwzm jgwsj.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\D_fVQObLZTfwZm jgWSJ.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\d_fvqoblztfwzm jgwsj.xlsx.nefilim")) returned 1 [0286.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0286.326] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fe5a9b0, ftCreationTime.dwHighDateTime=0x1d5e92f, ftLastAccessTime.dwLowDateTime=0x59f51520, ftLastAccessTime.dwHighDateTime=0x1d5eb2c, ftLastWriteTime.dwLowDateTime=0x59f51520, ftLastWriteTime.dwHighDateTime=0x1d5eb2c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="EEeuv7-9HI15TuLg4LE", cAlternateFileName="EEEUV7~1")) returned 1 [0286.326] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2=".") returned 1 [0286.326] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="..") returned 1 [0286.326] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="...") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="windows") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="$RECYCLE.BIN") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="rsa") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="NTDETECT.COM") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="ntldr") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="MSDOS.SYS") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="IO.SYS") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="boot.ini") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="AUTOEXEC.BAT") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="ntuser.dat") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="desktop.ini") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="CONFIG.SYS") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="RECYCLER") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="BOOTSECT.BAK") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="bootmgr") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="programdata") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="appdata") returned 1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="program files") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="program files (x86)") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="microsoft") returned -1 [0286.327] lstrcmpiW (lpString1="EEeuv7-9HI15TuLg4LE", lpString2="sophos") returned -1 [0286.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe18 [0286.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe80 [0286.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0286.327] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fe5a9b0, ftCreationTime.dwHighDateTime=0x1d5e92f, ftLastAccessTime.dwLowDateTime=0x59f51520, ftLastAccessTime.dwHighDateTime=0x1d5eb2c, ftLastWriteTime.dwLowDateTime=0x59f51520, ftLastWriteTime.dwHighDateTime=0x1d5eb2c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xa2f360 [0286.328] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.328] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fe5a9b0, ftCreationTime.dwHighDateTime=0x1d5e92f, ftLastAccessTime.dwLowDateTime=0x59f51520, ftLastAccessTime.dwHighDateTime=0x1d5eb2c, ftLastWriteTime.dwLowDateTime=0x59f51520, ftLastWriteTime.dwHighDateTime=0x1d5eb2c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0286.328] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.328] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.328] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5eaba70, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0x47aa1f00, ftLastAccessTime.dwHighDateTime=0x1d5f07c, ftLastWriteTime.dwLowDateTime=0x47aa1f00, ftLastWriteTime.dwHighDateTime=0x1d5f07c, nFileSizeHigh=0x0, nFileSizeLow=0x7921, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="0cjI.mp3", cAlternateFileName="")) returned 1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2=".") returned 1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="..") returned 1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="...") returned 1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="windows") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="$RECYCLE.BIN") returned 1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="rsa") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="NTDETECT.COM") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="ntldr") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="MSDOS.SYS") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="IO.SYS") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="boot.ini") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="AUTOEXEC.BAT") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="ntuser.dat") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="desktop.ini") returned -1 [0286.328] lstrcmpiW (lpString1="0cjI.mp3", lpString2="CONFIG.SYS") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="RECYCLER") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="BOOTSECT.BAK") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="bootmgr") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="programdata") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="appdata") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="program files") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="program files (x86)") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="microsoft") returned -1 [0286.329] lstrcmpiW (lpString1="0cjI.mp3", lpString2="sophos") returned -1 [0286.329] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de788 [0286.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.329] PathFindExtensionW (pszPath="0cjI.mp3") returned=".mp3" [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0286.329] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0286.329] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c250140, ftCreationTime.dwHighDateTime=0x1d5ea2b, ftLastAccessTime.dwLowDateTime=0xd5695f30, ftLastAccessTime.dwHighDateTime=0x1d5e745, ftLastWriteTime.dwLowDateTime=0xd5695f30, ftLastWriteTime.dwHighDateTime=0x1d5e745, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="5Icyctj78ppcu-DF.wav", cAlternateFileName="5ICYCT~1.WAV")) returned 1 [0286.329] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2=".") returned 1 [0286.329] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="..") returned 1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="...") returned 1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="windows") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="$RECYCLE.BIN") returned 1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="rsa") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="NTDETECT.COM") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="ntldr") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="MSDOS.SYS") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="IO.SYS") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="boot.ini") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="AUTOEXEC.BAT") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="ntuser.dat") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="desktop.ini") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="CONFIG.SYS") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="RECYCLER") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="BOOTSECT.BAK") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="bootmgr") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="programdata") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="appdata") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="program files") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="program files (x86)") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="microsoft") returned -1 [0286.330] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="sophos") returned -1 [0286.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de800 [0286.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0286.330] PathFindExtensionW (pszPath="5Icyctj78ppcu-DF.wav") returned=".wav" [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0286.331] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0286.331] lstrcmpiW (lpString1="5Icyctj78ppcu-DF.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.331] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de720 [0286.332] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\5Icyctj78ppcu-DF.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\5icyctj78ppcu-df.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.332] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=50688) returned 1 [0286.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0286.332] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.332] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0286.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0286.332] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.333] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.333] GetTickCount () returned 0x1187afa [0286.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de7b8 [0286.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b8 | out: hHeap=0x28d0000) returned 1 [0286.333] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.333] SetLastError (dwErrCode=0x0) [0286.333] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.334] GetLastError () returned 0x0 [0286.334] GetLastError () returned 0x0 [0286.334] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.334] WriteFile (in: hFile=0x270, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.335] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.335] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd0fcf1c3, dwHighDateTime=0x1d5fd73)) [0286.335] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b8 [0286.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b8 | out: hHeap=0x28d0000) returned 1 [0286.335] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.335] GetProcessHeap () returned 0xa10000 [0286.335] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xc600) returned 0xa3f6a8 [0286.335] GetSystemDefaultLangID () returned 0xa20409 [0286.335] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.335] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xc600, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xc600, lpOverlapped=0x0) returned 1 [0286.338] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.338] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xc600, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xc600, lpOverlapped=0x0) returned 1 [0286.339] GetProcessHeap () returned 0xa10000 [0286.339] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.339] CloseHandle (hObject=0x270) returned 1 [0286.340] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.340] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0286.340] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.340] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0286.340] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de898 [0286.340] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\5Icyctj78ppcu-DF.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\5icyctj78ppcu-df.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\5Icyctj78ppcu-DF.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\5icyctj78ppcu-df.wav.nefilim")) returned 1 [0286.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de898 | out: hHeap=0x28d0000) returned 1 [0286.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.342] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99147c80, ftCreationTime.dwHighDateTime=0x1d5f0d3, ftLastAccessTime.dwLowDateTime=0x3aa42cb0, ftLastAccessTime.dwHighDateTime=0x1d5ee06, ftLastWriteTime.dwLowDateTime=0x3aa42cb0, ftLastWriteTime.dwHighDateTime=0x1d5ee06, nFileSizeHigh=0x0, nFileSizeLow=0x13159, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="dwSp3cfm.mp3", cAlternateFileName="")) returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2=".") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="..") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="...") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="windows") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="$RECYCLE.BIN") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="rsa") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="NTDETECT.COM") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="ntldr") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="MSDOS.SYS") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="IO.SYS") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="boot.ini") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="ntuser.dat") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="desktop.ini") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="CONFIG.SYS") returned 1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="RECYCLER") returned -1 [0286.342] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="BOOTSECT.BAK") returned 1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="bootmgr") returned 1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="programdata") returned -1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="appdata") returned 1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="program files") returned -1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="program files (x86)") returned -1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="microsoft") returned -1 [0286.343] lstrcmpiW (lpString1="dwSp3cfm.mp3", lpString2="sophos") returned -1 [0286.343] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de800 | out: hHeap=0x28d0000) returned 1 [0286.343] PathFindExtensionW (pszPath="dwSp3cfm.mp3") returned=".mp3" [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0286.343] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0286.343] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa073b500, ftCreationTime.dwHighDateTime=0x1d5e33f, ftLastAccessTime.dwLowDateTime=0x39cf8df0, ftLastAccessTime.dwHighDateTime=0x1d5ed5e, ftLastWriteTime.dwLowDateTime=0x39cf8df0, ftLastWriteTime.dwHighDateTime=0x1d5ed5e, nFileSizeHigh=0x0, nFileSizeLow=0x11b5e, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="EtxJfI0VJWpeuSJOD3.mp4", cAlternateFileName="ETXJFI~1.MP4")) returned 1 [0286.343] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2=".") returned 1 [0286.343] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="..") returned 1 [0286.343] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="...") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="windows") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="$RECYCLE.BIN") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="rsa") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="NTDETECT.COM") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="ntldr") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="MSDOS.SYS") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="IO.SYS") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="boot.ini") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="ntuser.dat") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="desktop.ini") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="CONFIG.SYS") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="RECYCLER") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="BOOTSECT.BAK") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="bootmgr") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="programdata") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="appdata") returned 1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="program files") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="program files (x86)") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="microsoft") returned -1 [0286.344] lstrcmpiW (lpString1="EtxJfI0VJWpeuSJOD3.mp4", lpString2="sophos") returned -1 [0286.344] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de7a8 [0286.344] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.344] PathFindExtensionW (pszPath="EtxJfI0VJWpeuSJOD3.mp4") returned=".mp4" [0286.344] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0286.344] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0286.345] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0286.345] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4287880, ftCreationTime.dwHighDateTime=0x1d5e870, ftLastAccessTime.dwLowDateTime=0xa382ad80, ftLastAccessTime.dwHighDateTime=0x1d5eed6, ftLastWriteTime.dwLowDateTime=0xa382ad80, ftLastWriteTime.dwHighDateTime=0x1d5eed6, nFileSizeHigh=0x0, nFileSizeLow=0x121d8, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="eV2WfIH4MuWbyipD.mp3", cAlternateFileName="EV2WFI~1.MP3")) returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2=".") returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="..") returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="...") returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="windows") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="$RECYCLE.BIN") returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="rsa") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="NTDETECT.COM") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="ntldr") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="MSDOS.SYS") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="IO.SYS") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="boot.ini") returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="ntuser.dat") returned -1 [0286.345] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="desktop.ini") returned 1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="CONFIG.SYS") returned 1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="RECYCLER") returned -1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="BOOTSECT.BAK") returned 1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="bootmgr") returned 1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="programdata") returned -1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="appdata") returned 1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="program files") returned -1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="program files (x86)") returned -1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="microsoft") returned -1 [0286.346] lstrcmpiW (lpString1="eV2WfIH4MuWbyipD.mp3", lpString2="sophos") returned -1 [0286.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de840 [0286.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.346] PathFindExtensionW (pszPath="eV2WfIH4MuWbyipD.mp3") returned=".mp3" [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.346] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0286.347] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0286.347] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0286.347] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be98260, ftCreationTime.dwHighDateTime=0x1d5e215, ftLastAccessTime.dwLowDateTime=0x25baafe0, ftLastAccessTime.dwHighDateTime=0x1d5e60e, ftLastWriteTime.dwLowDateTime=0x25baafe0, ftLastWriteTime.dwHighDateTime=0x1d5e60e, nFileSizeHigh=0x0, nFileSizeLow=0xb3f2, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="GyKN_90P4 Cmdv0.wav", cAlternateFileName="GYKN_9~1.WAV")) returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2=".") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="..") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="...") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="windows") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="$RECYCLE.BIN") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="rsa") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="NTDETECT.COM") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="ntldr") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="MSDOS.SYS") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="IO.SYS") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="boot.ini") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="AUTOEXEC.BAT") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="ntuser.dat") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="desktop.ini") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="CONFIG.SYS") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="RECYCLER") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="BOOTSECT.BAK") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="bootmgr") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="programdata") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="appdata") returned 1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="program files") returned -1 [0286.347] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="program files (x86)") returned -1 [0286.348] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="microsoft") returned -1 [0286.348] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="sophos") returned -1 [0286.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.348] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de840 | out: hHeap=0x28d0000) returned 1 [0286.348] PathFindExtensionW (pszPath="GyKN_90P4 Cmdv0.wav") returned=".wav" [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0286.348] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0286.348] lstrcmpiW (lpString1="GyKN_90P4 Cmdv0.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de7a8 [0286.348] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\GyKN_90P4 Cmdv0.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\gykn_90p4 cmdv0.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.349] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=46066) returned 1 [0286.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.349] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.349] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0286.349] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.350] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.352] GetTickCount () returned 0x1187b0a [0286.352] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de830 [0286.352] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.352] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb3f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.352] SetLastError (dwErrCode=0x0) [0286.352] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.353] GetLastError () returned 0x0 [0286.353] GetLastError () returned 0x0 [0286.353] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb4f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.353] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.354] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb5f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.354] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd0ff53e5, dwHighDateTime=0x1d5fd73)) [0286.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de830 [0286.354] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.354] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.354] GetProcessHeap () returned 0xa10000 [0286.354] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xb3f2) returned 0xa3f6a8 [0286.354] GetSystemDefaultLangID () returned 0xa20409 [0286.354] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.354] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xb3f2, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xb3f2, lpOverlapped=0x0) returned 1 [0286.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.357] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xb3f2, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xb3f2, lpOverlapped=0x0) returned 1 [0286.358] GetProcessHeap () returned 0xa10000 [0286.358] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.358] CloseHandle (hObject=0x270) returned 1 [0286.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0286.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.359] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.359] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de830 [0286.359] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\GyKN_90P4 Cmdv0.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\gykn_90p4 cmdv0.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\GyKN_90P4 Cmdv0.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\gykn_90p4 cmdv0.wav.nefilim")) returned 1 [0286.361] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.362] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.362] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda65a10, ftCreationTime.dwHighDateTime=0x1d5efe3, ftLastAccessTime.dwLowDateTime=0xce6886e0, ftLastAccessTime.dwHighDateTime=0x1d5e360, ftLastWriteTime.dwLowDateTime=0xce6886e0, ftLastWriteTime.dwHighDateTime=0x1d5e360, nFileSizeHigh=0x0, nFileSizeLow=0x6819, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="Jj3ESqA7Gs.mkv", cAlternateFileName="JJ3ESQ~1.MKV")) returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2=".") returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="..") returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="...") returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="windows") returned -1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="$RECYCLE.BIN") returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="rsa") returned -1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="NTDETECT.COM") returned -1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="ntldr") returned -1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="MSDOS.SYS") returned -1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="IO.SYS") returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="boot.ini") returned 1 [0286.362] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="ntuser.dat") returned -1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="desktop.ini") returned 1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="CONFIG.SYS") returned 1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="RECYCLER") returned -1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="BOOTSECT.BAK") returned 1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="bootmgr") returned 1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="programdata") returned -1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="appdata") returned 1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="program files") returned -1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="program files (x86)") returned -1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="microsoft") returned -1 [0286.363] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="sophos") returned -1 [0286.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de7a8 [0286.363] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.363] PathFindExtensionW (pszPath="Jj3ESqA7Gs.mkv") returned=".mkv" [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0286.363] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0286.364] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0286.364] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0286.364] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0286.364] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0286.364] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0286.364] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0286.364] lstrcmpiW (lpString1="Jj3ESqA7Gs.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.364] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\Jj3ESqA7Gs.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\jj3esqa7gs.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.364] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=26649) returned 1 [0286.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0286.364] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.364] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0286.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.365] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.365] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.366] GetTickCount () returned 0x1187b19 [0286.366] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de830 [0286.366] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.367] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x6819, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.367] SetLastError (dwErrCode=0x0) [0286.367] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.368] GetLastError () returned 0x0 [0286.368] GetLastError () returned 0x0 [0286.368] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x6919, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.368] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.368] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x6a19, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.368] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd101b567, dwHighDateTime=0x1d5fd73)) [0286.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de830 [0286.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.368] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.368] GetProcessHeap () returned 0xa10000 [0286.368] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x6819) returned 0xa3f6a8 [0286.369] GetSystemDefaultLangID () returned 0xa20409 [0286.370] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.370] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x6819, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x6819, lpOverlapped=0x0) returned 1 [0286.372] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.372] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x6819, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x6819, lpOverlapped=0x0) returned 1 [0286.372] GetProcessHeap () returned 0xa10000 [0286.372] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.372] CloseHandle (hObject=0x270) returned 1 [0286.373] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0286.374] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de830 [0286.374] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\Jj3ESqA7Gs.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\jj3esqa7gs.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\Jj3ESqA7Gs.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\jj3esqa7gs.mkv.nefilim")) returned 1 [0286.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.376] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1452440, ftCreationTime.dwHighDateTime=0x1d5e698, ftLastAccessTime.dwLowDateTime=0x7216b50, ftLastAccessTime.dwHighDateTime=0x1d5e21c, ftLastWriteTime.dwLowDateTime=0x7216b50, ftLastWriteTime.dwHighDateTime=0x1d5e21c, nFileSizeHigh=0x0, nFileSizeLow=0xd4d0, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="lfn7f.flv", cAlternateFileName="")) returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2=".") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="..") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="...") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="windows") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="$RECYCLE.BIN") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="rsa") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="NTDETECT.COM") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="ntldr") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="MSDOS.SYS") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="IO.SYS") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="boot.ini") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="AUTOEXEC.BAT") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="ntuser.dat") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="desktop.ini") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="CONFIG.SYS") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="RECYCLER") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="BOOTSECT.BAK") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="bootmgr") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="programdata") returned -1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="appdata") returned 1 [0286.376] lstrcmpiW (lpString1="lfn7f.flv", lpString2="program files") returned -1 [0286.377] lstrcmpiW (lpString1="lfn7f.flv", lpString2="program files (x86)") returned -1 [0286.377] lstrcmpiW (lpString1="lfn7f.flv", lpString2="microsoft") returned -1 [0286.377] lstrcmpiW (lpString1="lfn7f.flv", lpString2="sophos") returned -1 [0286.377] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.377] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.377] PathFindExtensionW (pszPath="lfn7f.flv") returned=".flv" [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0286.377] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0286.377] lstrcmpiW (lpString1="lfn7f.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de798 [0286.378] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\lfn7f.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\lfn7f.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.378] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=54480) returned 1 [0286.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.378] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.378] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0286.378] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.379] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.379] GetTickCount () returned 0x1187b29 [0286.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de810 [0286.379] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0286.379] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.379] SetLastError (dwErrCode=0x0) [0286.379] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.380] GetLastError () returned 0x0 [0286.380] GetLastError () returned 0x0 [0286.380] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd5d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.380] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.380] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd104188b, dwHighDateTime=0x1d5fd73)) [0286.380] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de810 [0286.381] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0286.381] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.381] GetProcessHeap () returned 0xa10000 [0286.381] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd4d0) returned 0xa3f6a8 [0286.381] GetSystemDefaultLangID () returned 0xa20409 [0286.381] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.381] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xd4d0, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xd4d0, lpOverlapped=0x0) returned 1 [0286.385] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.385] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xd4d0, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xd4d0, lpOverlapped=0x0) returned 1 [0286.385] GetProcessHeap () returned 0xa10000 [0286.385] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.385] CloseHandle (hObject=0x270) returned 1 [0286.386] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.386] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0286.386] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.386] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.386] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0286.386] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\lfn7f.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\lfn7f.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\lfn7f.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\lfn7f.flv.nefilim")) returned 1 [0286.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0286.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0286.388] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab3293e0, ftCreationTime.dwHighDateTime=0x1d5e3fc, ftLastAccessTime.dwLowDateTime=0x91bdcb70, ftLastAccessTime.dwHighDateTime=0x1d5ebcf, ftLastWriteTime.dwLowDateTime=0x91bdcb70, ftLastWriteTime.dwHighDateTime=0x1d5ebcf, nFileSizeHigh=0x0, nFileSizeLow=0x14abe, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="NZs4p98amkDOvI.flv", cAlternateFileName="NZS4P9~1.FLV")) returned 1 [0286.388] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2=".") returned 1 [0286.388] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="..") returned 1 [0286.388] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="...") returned 1 [0286.388] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="windows") returned -1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="$RECYCLE.BIN") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="rsa") returned -1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="NTDETECT.COM") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="ntldr") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="MSDOS.SYS") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="IO.SYS") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="boot.ini") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="AUTOEXEC.BAT") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="ntuser.dat") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="desktop.ini") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="CONFIG.SYS") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="RECYCLER") returned -1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="BOOTSECT.BAK") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="bootmgr") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="programdata") returned -1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="appdata") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="program files") returned -1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="program files (x86)") returned -1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="microsoft") returned 1 [0286.389] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="sophos") returned -1 [0286.389] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de798 [0286.389] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.389] PathFindExtensionW (pszPath="NZs4p98amkDOvI.flv") returned=".flv" [0286.389] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0286.389] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0286.389] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0286.389] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0286.390] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0286.390] lstrcmpiW (lpString1="NZs4p98amkDOvI.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de820 [0286.390] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\NZs4p98amkDOvI.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\nzs4p98amkdovi.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.390] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=84670) returned 1 [0286.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.390] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.391] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.391] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.391] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.391] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.391] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.391] GetTickCount () returned 0x1187b29 [0286.391] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de720 [0286.391] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.391] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14abe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.392] SetLastError (dwErrCode=0x0) [0286.392] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.393] GetLastError () returned 0x0 [0286.393] GetLastError () returned 0x0 [0286.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14bbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.393] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14cbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.393] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1067a27, dwHighDateTime=0x1d5fd73)) [0286.393] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0286.393] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.394] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.394] GetProcessHeap () returned 0xa10000 [0286.394] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14abe) returned 0xa3f6a8 [0286.394] GetSystemDefaultLangID () returned 0xa20409 [0286.394] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.394] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x14abe, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x14abe, lpOverlapped=0x0) returned 1 [0286.399] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.399] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x14abe, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x14abe, lpOverlapped=0x0) returned 1 [0286.400] GetProcessHeap () returned 0xa10000 [0286.400] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.400] CloseHandle (hObject=0x270) returned 1 [0286.401] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.401] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.401] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.401] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de8a8 [0286.401] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\NZs4p98amkDOvI.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\nzs4p98amkdovi.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\NZs4p98amkDOvI.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\nzs4p98amkdovi.flv.nefilim")) returned 1 [0286.414] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8a8 | out: hHeap=0x28d0000) returned 1 [0286.414] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0286.414] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa17d73a0, ftCreationTime.dwHighDateTime=0x1d5e48e, ftLastAccessTime.dwLowDateTime=0xaf805240, ftLastAccessTime.dwHighDateTime=0x1d5f075, ftLastWriteTime.dwLowDateTime=0xaf805240, ftLastWriteTime.dwHighDateTime=0x1d5f075, nFileSizeHigh=0x0, nFileSizeLow=0x2ef5, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="uF2 7BNxWpbj.csv", cAlternateFileName="UF27BN~1.CSV")) returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2=".") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="..") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="...") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="windows") returned -1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="$RECYCLE.BIN") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="rsa") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="NTDETECT.COM") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="ntldr") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="MSDOS.SYS") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="IO.SYS") returned 1 [0286.414] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="boot.ini") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="AUTOEXEC.BAT") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="ntuser.dat") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="desktop.ini") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="CONFIG.SYS") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="RECYCLER") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="BOOTSECT.BAK") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="bootmgr") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="programdata") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="appdata") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="program files") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="program files (x86)") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="microsoft") returned 1 [0286.415] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="sophos") returned 1 [0286.415] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de820 [0286.415] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0286.415] PathFindExtensionW (pszPath="uF2 7BNxWpbj.csv") returned=".csv" [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0286.415] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0286.416] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0286.416] lstrcmpiW (lpString1="uF2 7BNxWpbj.csv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.416] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.416] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\uF2 7BNxWpbj.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\uf2 7bnxwpbj.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.416] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=12021) returned 1 [0286.416] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.416] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.417] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.417] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.417] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0286.417] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0286.417] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.417] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.418] GetTickCount () returned 0x1187b48 [0286.418] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de7a8 [0286.418] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.418] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2ef5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.418] SetLastError (dwErrCode=0x0) [0286.418] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.419] GetLastError () returned 0x0 [0286.419] GetLastError () returned 0x0 [0286.419] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2ff5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.419] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.420] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x30f5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.420] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd108dc6a, dwHighDateTime=0x1d5fd73)) [0286.420] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7a8 [0286.420] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.420] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.420] GetProcessHeap () returned 0xa10000 [0286.420] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2ef5) returned 0xa3f6a8 [0286.420] GetSystemDefaultLangID () returned 0xa20409 [0286.420] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.420] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x2ef5, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x2ef5, lpOverlapped=0x0) returned 1 [0286.421] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.421] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x2ef5, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x2ef5, lpOverlapped=0x0) returned 1 [0286.421] GetProcessHeap () returned 0xa10000 [0286.421] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.421] CloseHandle (hObject=0x270) returned 1 [0286.422] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0286.422] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0286.422] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.423] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.423] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de8a8 [0286.423] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\uF2 7BNxWpbj.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\uf2 7bnxwpbj.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\uF2 7BNxWpbj.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\uf2 7bnxwpbj.csv.nefilim")) returned 1 [0286.425] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8a8 | out: hHeap=0x28d0000) returned 1 [0286.425] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.425] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e6fd460, ftCreationTime.dwHighDateTime=0x1d5e105, ftLastAccessTime.dwLowDateTime=0x5faeaf00, ftLastAccessTime.dwHighDateTime=0x1d5ebb1, ftLastWriteTime.dwLowDateTime=0x5faeaf00, ftLastWriteTime.dwHighDateTime=0x1d5ebb1, nFileSizeHigh=0x0, nFileSizeLow=0xb107, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="UPJuecFp.m4a", cAlternateFileName="")) returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2=".") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="..") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="...") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="windows") returned -1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="$RECYCLE.BIN") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="rsa") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="NTDETECT.COM") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="ntldr") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="MSDOS.SYS") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="IO.SYS") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="boot.ini") returned 1 [0286.425] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="ntuser.dat") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="desktop.ini") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="CONFIG.SYS") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="RECYCLER") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="BOOTSECT.BAK") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="bootmgr") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="programdata") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="appdata") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="program files") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="program files (x86)") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="microsoft") returned 1 [0286.426] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="sophos") returned 1 [0286.426] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0286.426] PathFindExtensionW (pszPath="UPJuecFp.m4a") returned=".m4a" [0286.426] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0286.426] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0286.426] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0286.426] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0286.427] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0286.427] lstrcmpiW (lpString1="UPJuecFp.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.427] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de7a8 [0286.427] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\UPJuecFp.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\upjuecfp.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.428] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=45319) returned 1 [0286.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0286.428] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.428] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0286.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0286.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.428] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.428] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.430] GetTickCount () returned 0x1187b58 [0286.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de830 [0286.430] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.430] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb107, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.431] SetLastError (dwErrCode=0x0) [0286.431] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.432] GetLastError () returned 0x0 [0286.432] GetLastError () returned 0x0 [0286.432] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb207, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.432] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.432] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb307, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.432] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd10b949a, dwHighDateTime=0x1d5fd73)) [0286.432] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de830 [0286.432] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.432] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.432] GetProcessHeap () returned 0xa10000 [0286.432] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xb107) returned 0xa3f6a8 [0286.433] GetSystemDefaultLangID () returned 0xa20409 [0286.434] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.434] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xb107, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xb107, lpOverlapped=0x0) returned 1 [0286.437] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.437] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xb107, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xb107, lpOverlapped=0x0) returned 1 [0286.438] GetProcessHeap () returned 0xa10000 [0286.438] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.438] CloseHandle (hObject=0x270) returned 1 [0286.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0286.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0286.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de830 [0286.439] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\UPJuecFp.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\upjuecfp.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\UPJuecFp.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\upjuecfp.m4a.nefilim")) returned 1 [0286.441] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.441] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.441] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501b2650, ftCreationTime.dwHighDateTime=0x1d5e390, ftLastAccessTime.dwLowDateTime=0xe6a756c0, ftLastAccessTime.dwHighDateTime=0x1d5eda9, ftLastWriteTime.dwLowDateTime=0xe6a756c0, ftLastWriteTime.dwHighDateTime=0x1d5eda9, nFileSizeHigh=0x0, nFileSizeLow=0xabac, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="vjvzZZAwmggemRVyy.wav", cAlternateFileName="VJVZZZ~1.WAV")) returned 1 [0286.441] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2=".") returned 1 [0286.441] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="..") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="...") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="windows") returned -1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="$RECYCLE.BIN") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="rsa") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="NTDETECT.COM") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="ntldr") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="MSDOS.SYS") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="IO.SYS") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="boot.ini") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="AUTOEXEC.BAT") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="ntuser.dat") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="desktop.ini") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="CONFIG.SYS") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="RECYCLER") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="BOOTSECT.BAK") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="bootmgr") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="programdata") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="appdata") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="program files") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="program files (x86)") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="microsoft") returned 1 [0286.442] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="sophos") returned 1 [0286.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de7a8 [0286.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.442] PathFindExtensionW (pszPath="vjvzZZAwmggemRVyy.wav") returned=".wav" [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0286.443] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0286.443] lstrcmpiW (lpString1="vjvzZZAwmggemRVyy.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.443] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de840 [0286.443] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\vjvzZZAwmggemRVyy.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\vjvzzzawmggemrvyy.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.444] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=43948) returned 1 [0286.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.444] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.444] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.444] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.444] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.445] GetTickCount () returned 0x1187b67 [0286.445] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de720 [0286.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.445] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xabac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.445] SetLastError (dwErrCode=0x0) [0286.445] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.446] GetLastError () returned 0x0 [0286.446] GetLastError () returned 0x0 [0286.446] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xacac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.446] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.446] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xadac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.446] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd10da107, dwHighDateTime=0x1d5fd73)) [0286.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0286.447] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.447] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.447] GetProcessHeap () returned 0xa10000 [0286.447] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xabac) returned 0xa3f6a8 [0286.447] GetSystemDefaultLangID () returned 0xa20409 [0286.447] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.447] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xabac, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xabac, lpOverlapped=0x0) returned 1 [0286.450] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.450] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xabac, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xabac, lpOverlapped=0x0) returned 1 [0286.450] GetProcessHeap () returned 0xa10000 [0286.450] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.450] CloseHandle (hObject=0x270) returned 1 [0286.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de8d8 [0286.451] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\vjvzZZAwmggemRVyy.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\vjvzzzawmggemrvyy.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\vjvzZZAwmggemRVyy.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\vjvzzzawmggemrvyy.wav.nefilim")) returned 1 [0286.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8d8 | out: hHeap=0x28d0000) returned 1 [0286.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de840 | out: hHeap=0x28d0000) returned 1 [0286.453] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6900daa0, ftCreationTime.dwHighDateTime=0x1d5ed83, ftLastAccessTime.dwLowDateTime=0xa6062870, ftLastAccessTime.dwHighDateTime=0x1d5e530, ftLastWriteTime.dwLowDateTime=0xa6062870, ftLastWriteTime.dwHighDateTime=0x1d5e530, nFileSizeHigh=0x0, nFileSizeLow=0x14639, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="YdEStzRfma-Pm6.gif", cAlternateFileName="YDESTZ~1.GIF")) returned 1 [0286.453] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2=".") returned 1 [0286.453] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="..") returned 1 [0286.453] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="...") returned 1 [0286.453] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="windows") returned 1 [0286.453] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="$RECYCLE.BIN") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="rsa") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="NTDETECT.COM") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="ntldr") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="MSDOS.SYS") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="IO.SYS") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="boot.ini") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="AUTOEXEC.BAT") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="ntuser.dat") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="desktop.ini") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="CONFIG.SYS") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="RECYCLER") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="BOOTSECT.BAK") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="bootmgr") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="programdata") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="appdata") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="program files") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="program files (x86)") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="microsoft") returned 1 [0286.454] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="sophos") returned 1 [0286.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0286.454] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.454] PathFindExtensionW (pszPath="YdEStzRfma-Pm6.gif") returned=".gif" [0286.454] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0286.454] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0286.454] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0286.455] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0286.455] lstrcmpiW (lpString1="YdEStzRfma-Pm6.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de7a8 [0286.455] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\YdEStzRfma-Pm6.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\ydestzrfma-pm6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0286.455] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=83513) returned 1 [0286.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0286.456] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.456] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0286.456] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0286.456] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.456] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0286.456] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0286.456] GetTickCount () returned 0x1187b77 [0286.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de830 [0286.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.457] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14639, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.457] SetLastError (dwErrCode=0x0) [0286.457] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.458] GetLastError () returned 0x0 [0286.458] GetLastError () returned 0x0 [0286.458] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14739, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.458] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0286.458] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14839, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.458] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1100393, dwHighDateTime=0x1d5fd73)) [0286.458] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de830 [0286.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.458] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0286.458] GetProcessHeap () returned 0xa10000 [0286.458] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14639) returned 0xa3f6a8 [0286.459] GetSystemDefaultLangID () returned 0xa20409 [0286.459] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.459] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x14639, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x14639, lpOverlapped=0x0) returned 1 [0286.464] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.464] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x14639, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x14639, lpOverlapped=0x0) returned 1 [0286.465] GetProcessHeap () returned 0xa10000 [0286.465] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0286.465] CloseHandle (hObject=0x270) returned 1 [0286.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0286.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0286.467] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de830 [0286.467] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\YdEStzRfma-Pm6.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\ydestzrfma-pm6.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EEeuv7-9HI15TuLg4LE\\YdEStzRfma-Pm6.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eeeuv7-9hi15tulg4le\\ydestzrfma-pm6.gif.nefilim")) returned 1 [0286.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0286.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0286.469] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6900daa0, ftCreationTime.dwHighDateTime=0x1d5ed83, ftLastAccessTime.dwLowDateTime=0xa6062870, ftLastAccessTime.dwHighDateTime=0x1d5e530, ftLastWriteTime.dwLowDateTime=0xa6062870, ftLastWriteTime.dwHighDateTime=0x1d5e530, nFileSizeHigh=0x0, nFileSizeLow=0x14639, dwReserved0=0x28dbe18, dwReserved1=0x3000000, cFileName="YdEStzRfma-Pm6.gif", cAlternateFileName="YDESTZ~1.GIF")) returned 0 [0286.469] FindClose (in: hFindFile=0xa2f360 | out: hFindFile=0xa2f360) returned 1 [0286.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0286.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.469] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccd13560, ftCreationTime.dwHighDateTime=0x1d5e51e, ftLastAccessTime.dwLowDateTime=0xae8d0ac0, ftLastAccessTime.dwHighDateTime=0x1d5e352, ftLastWriteTime.dwLowDateTime=0xae8d0ac0, ftLastWriteTime.dwHighDateTime=0x1d5e352, nFileSizeHigh=0x0, nFileSizeLow=0x2635, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="EsmFe1xqoXy.mp4", cAlternateFileName="ESMFE1~1.MP4")) returned 1 [0286.469] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2=".") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="..") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="...") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="windows") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="$RECYCLE.BIN") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="rsa") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="NTDETECT.COM") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="ntldr") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="MSDOS.SYS") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="IO.SYS") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="boot.ini") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="ntuser.dat") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="desktop.ini") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="CONFIG.SYS") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="RECYCLER") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="BOOTSECT.BAK") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="bootmgr") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="programdata") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="appdata") returned 1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="program files") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="program files (x86)") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="microsoft") returned -1 [0286.470] lstrcmpiW (lpString1="EsmFe1xqoXy.mp4", lpString2="sophos") returned -1 [0286.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.470] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0286.471] PathFindExtensionW (pszPath="EsmFe1xqoXy.mp4") returned=".mp4" [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0286.471] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0286.471] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x495835e0, ftCreationTime.dwHighDateTime=0x1d5f008, ftLastAccessTime.dwLowDateTime=0xa3cd6d80, ftLastAccessTime.dwHighDateTime=0x1d5e322, ftLastWriteTime.dwLowDateTime=0xa3cd6d80, ftLastWriteTime.dwHighDateTime=0x1d5e322, nFileSizeHigh=0x0, nFileSizeLow=0x181fd, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="ev_kkSKihV1.gif", cAlternateFileName="EV_KKS~1.GIF")) returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2=".") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="..") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="...") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="windows") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="$RECYCLE.BIN") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="rsa") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="NTDETECT.COM") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="ntldr") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="MSDOS.SYS") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="IO.SYS") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="boot.ini") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="AUTOEXEC.BAT") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="ntuser.dat") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="desktop.ini") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="CONFIG.SYS") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="RECYCLER") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="BOOTSECT.BAK") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="bootmgr") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="programdata") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="appdata") returned 1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="program files") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="program files (x86)") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="microsoft") returned -1 [0286.472] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="sophos") returned -1 [0286.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.473] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.473] PathFindExtensionW (pszPath="ev_kkSKihV1.gif") returned=".gif" [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0286.473] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0286.473] lstrcmpiW (lpString1="ev_kkSKihV1.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.473] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.473] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ev_kkSKihV1.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\ev_kkskihv1.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.474] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=98813) returned 1 [0286.474] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.474] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.474] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.474] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.474] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.474] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.474] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.474] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.475] GetTickCount () returned 0x1187b87 [0286.475] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.475] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x181fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.475] SetLastError (dwErrCode=0x0) [0286.475] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.476] GetLastError () returned 0x0 [0286.476] GetLastError () returned 0x0 [0286.476] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x182fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.476] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.476] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x183fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.476] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1126568, dwHighDateTime=0x1d5fd73)) [0286.477] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.477] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.477] GetProcessHeap () returned 0xa10000 [0286.477] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x181fd) returned 0xa3e6a0 [0286.477] GetSystemDefaultLangID () returned 0xa20409 [0286.477] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.477] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x181fd, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x181fd, lpOverlapped=0x0) returned 1 [0286.483] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.483] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x181fd, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x181fd, lpOverlapped=0x0) returned 1 [0286.484] GetProcessHeap () returned 0xa10000 [0286.484] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.484] CloseHandle (hObject=0x26c) returned 1 [0286.485] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.485] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.485] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.485] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.485] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ev_kkSKihV1.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\ev_kkskihv1.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ev_kkSKihV1.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\ev_kkskihv1.gif.nefilim")) returned 1 [0286.487] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.487] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.487] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bb229b0, ftCreationTime.dwHighDateTime=0x1d5e398, ftLastAccessTime.dwLowDateTime=0x1ccc7fb0, ftLastAccessTime.dwHighDateTime=0x1d5eed0, ftLastWriteTime.dwLowDateTime=0x1ccc7fb0, ftLastWriteTime.dwHighDateTime=0x1d5eed0, nFileSizeHigh=0x0, nFileSizeLow=0x11f45, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="gJ7i8mY7 _.pps", cAlternateFileName="GJ7I8M~1.PPS")) returned 1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2=".") returned 1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="..") returned 1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="...") returned 1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="windows") returned -1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="$RECYCLE.BIN") returned 1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="rsa") returned -1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="NTDETECT.COM") returned -1 [0286.487] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="ntldr") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="MSDOS.SYS") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="IO.SYS") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="boot.ini") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="AUTOEXEC.BAT") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="ntuser.dat") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="desktop.ini") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="CONFIG.SYS") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="RECYCLER") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="BOOTSECT.BAK") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="bootmgr") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="programdata") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="appdata") returned 1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="program files") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="program files (x86)") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="microsoft") returned -1 [0286.488] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="sophos") returned -1 [0286.488] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.488] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.488] PathFindExtensionW (pszPath="gJ7i8mY7 _.pps") returned=".pps" [0286.488] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0286.488] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0286.488] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0286.488] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0286.488] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0286.489] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0286.489] lstrcmpiW (lpString1="gJ7i8mY7 _.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.489] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.489] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\gJ7i8mY7 _.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\gj7i8my7 _.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.489] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=73541) returned 1 [0286.489] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.489] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.490] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.490] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0286.490] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.490] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.490] GetTickCount () returned 0x1187b96 [0286.491] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.491] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.491] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11f45, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.491] SetLastError (dwErrCode=0x0) [0286.491] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.492] GetLastError () returned 0x0 [0286.492] GetLastError () returned 0x0 [0286.492] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12045, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.492] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.492] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12145, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.492] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd114c849, dwHighDateTime=0x1d5fd73)) [0286.492] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.493] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.493] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.493] GetProcessHeap () returned 0xa10000 [0286.493] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11f45) returned 0xa3e6a0 [0286.493] GetSystemDefaultLangID () returned 0xa20409 [0286.493] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.493] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x11f45, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x11f45, lpOverlapped=0x0) returned 1 [0286.497] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.497] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x11f45, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x11f45, lpOverlapped=0x0) returned 1 [0286.498] GetProcessHeap () returned 0xa10000 [0286.498] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.498] CloseHandle (hObject=0x26c) returned 1 [0286.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0286.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.499] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.499] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.499] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\gJ7i8mY7 _.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\gj7i8my7 _.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\gJ7i8mY7 _.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\gj7i8my7 _.pps.nefilim")) returned 1 [0286.501] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.501] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.501] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19675790, ftCreationTime.dwHighDateTime=0x1d5e6c0, ftLastAccessTime.dwLowDateTime=0x51767fc0, ftLastAccessTime.dwHighDateTime=0x1d5e310, ftLastWriteTime.dwLowDateTime=0x51767fc0, ftLastWriteTime.dwHighDateTime=0x1d5e310, nFileSizeHigh=0x0, nFileSizeLow=0x90f1, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="GJKOO3cjleUD.gif", cAlternateFileName="GJKOO3~1.GIF")) returned 1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2=".") returned 1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="..") returned 1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="...") returned 1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="windows") returned -1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="$RECYCLE.BIN") returned 1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="rsa") returned -1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="NTDETECT.COM") returned -1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="ntldr") returned -1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="MSDOS.SYS") returned -1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="IO.SYS") returned -1 [0286.501] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="boot.ini") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="AUTOEXEC.BAT") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="ntuser.dat") returned -1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="desktop.ini") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="CONFIG.SYS") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="RECYCLER") returned -1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="BOOTSECT.BAK") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="bootmgr") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="programdata") returned -1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="appdata") returned 1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="program files") returned -1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="program files (x86)") returned -1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="microsoft") returned -1 [0286.502] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="sophos") returned -1 [0286.502] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.502] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.502] PathFindExtensionW (pszPath="GJKOO3cjleUD.gif") returned=".gif" [0286.502] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0286.502] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0286.502] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0286.502] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0286.502] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0286.503] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0286.503] lstrcmpiW (lpString1="GJKOO3cjleUD.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.503] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe60 [0286.503] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GJKOO3cjleUD.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\gjkoo3cjleud.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.504] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=37105) returned 1 [0286.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.504] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.504] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.504] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.504] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.506] GetTickCount () returned 0x1187ba6 [0286.506] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0286.506] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0286.506] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x90f1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.506] SetLastError (dwErrCode=0x0) [0286.507] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.508] GetLastError () returned 0x0 [0286.508] GetLastError () returned 0x0 [0286.508] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x91f1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.508] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.508] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x92f1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.508] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1172bcb, dwHighDateTime=0x1d5fd73)) [0286.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0286.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.508] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.508] GetProcessHeap () returned 0xa10000 [0286.508] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x90f1) returned 0xa3e6a0 [0286.509] GetSystemDefaultLangID () returned 0xa20409 [0286.510] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.510] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x90f1, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x90f1, lpOverlapped=0x0) returned 1 [0286.512] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.513] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x90f1, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x90f1, lpOverlapped=0x0) returned 1 [0286.513] GetProcessHeap () returned 0xa10000 [0286.513] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.513] CloseHandle (hObject=0x26c) returned 1 [0286.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.514] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\GJKOO3cjleUD.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\gjkoo3cjleud.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\GJKOO3cjleUD.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\gjkoo3cjleud.gif.nefilim")) returned 1 [0286.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.516] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0286.516] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904a1da0, ftCreationTime.dwHighDateTime=0x1d5e8a2, ftLastAccessTime.dwLowDateTime=0xbff395b0, ftLastAccessTime.dwHighDateTime=0x1d5ea76, ftLastWriteTime.dwLowDateTime=0xbff395b0, ftLastWriteTime.dwHighDateTime=0x1d5ea76, nFileSizeHigh=0x0, nFileSizeLow=0x9344, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="gotjv5Aw3vg.xls", cAlternateFileName="GOTJV5~1.XLS")) returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2=".") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="..") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="...") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="windows") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="$RECYCLE.BIN") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="rsa") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="NTDETECT.COM") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="ntldr") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="MSDOS.SYS") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="IO.SYS") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="boot.ini") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="AUTOEXEC.BAT") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="ntuser.dat") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="desktop.ini") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="CONFIG.SYS") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="RECYCLER") returned -1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="BOOTSECT.BAK") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="bootmgr") returned 1 [0286.516] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="programdata") returned -1 [0286.517] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="appdata") returned 1 [0286.517] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="program files") returned -1 [0286.517] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="program files (x86)") returned -1 [0286.517] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="microsoft") returned -1 [0286.517] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="sophos") returned -1 [0286.517] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.517] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.517] PathFindExtensionW (pszPath="gotjv5Aw3vg.xls") returned=".xls" [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0286.517] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0286.517] lstrcmpiW (lpString1="gotjv5Aw3vg.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.518] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\gotjv5Aw3vg.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\gotjv5aw3vg.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.518] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=37700) returned 1 [0286.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0286.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.518] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0286.518] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.518] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.518] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.520] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.522] GetTickCount () returned 0x1187bb6 [0286.522] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.522] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9344, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.522] SetLastError (dwErrCode=0x0) [0286.522] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.523] GetLastError () returned 0x0 [0286.523] GetLastError () returned 0x0 [0286.523] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9444, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.523] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.523] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9544, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.523] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1198e48, dwHighDateTime=0x1d5fd73)) [0286.524] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.524] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.524] GetProcessHeap () returned 0xa10000 [0286.524] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9344) returned 0xa3e6a0 [0286.524] GetSystemDefaultLangID () returned 0xa20409 [0286.524] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.524] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x9344, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x9344, lpOverlapped=0x0) returned 1 [0286.527] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.527] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x9344, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x9344, lpOverlapped=0x0) returned 1 [0286.527] GetProcessHeap () returned 0xa10000 [0286.527] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.527] CloseHandle (hObject=0x26c) returned 1 [0286.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0286.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.528] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.528] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\gotjv5Aw3vg.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\gotjv5aw3vg.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\gotjv5Aw3vg.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\gotjv5aw3vg.xls.nefilim")) returned 1 [0286.530] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.530] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.530] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e90f370, ftCreationTime.dwHighDateTime=0x1d5eb98, ftLastAccessTime.dwLowDateTime=0x611d4270, ftLastAccessTime.dwHighDateTime=0x1d5e738, ftLastWriteTime.dwLowDateTime=0x611d4270, ftLastWriteTime.dwHighDateTime=0x1d5e738, nFileSizeHigh=0x0, nFileSizeLow=0x12b20, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="habGbXHPlCJ2AejsDTV.bmp", cAlternateFileName="HABGBX~1.BMP")) returned 1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2=".") returned 1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="..") returned 1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="...") returned 1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="windows") returned -1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="$RECYCLE.BIN") returned 1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="rsa") returned -1 [0286.530] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="NTDETECT.COM") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="ntldr") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="MSDOS.SYS") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="IO.SYS") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="boot.ini") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="ntuser.dat") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="desktop.ini") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="CONFIG.SYS") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="RECYCLER") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="BOOTSECT.BAK") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="bootmgr") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="programdata") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="appdata") returned 1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="program files") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="program files (x86)") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="microsoft") returned -1 [0286.531] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="sophos") returned -1 [0286.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.531] PathFindExtensionW (pszPath="habGbXHPlCJ2AejsDTV.bmp") returned=".bmp" [0286.531] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0286.531] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0286.531] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0286.532] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0286.532] lstrcmpiW (lpString1="habGbXHPlCJ2AejsDTV.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe60 [0286.532] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\habGbXHPlCJ2AejsDTV.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\habgbxhplcj2aejsdtv.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.532] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=76576) returned 1 [0286.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.533] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.533] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0286.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.533] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.533] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.534] GetTickCount () returned 0x1187bb6 [0286.534] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0286.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0286.534] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.534] SetLastError (dwErrCode=0x0) [0286.534] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.535] GetLastError () returned 0x0 [0286.535] GetLastError () returned 0x0 [0286.535] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.535] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.536] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.536] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd11c12a8, dwHighDateTime=0x1d5fd73)) [0286.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0286.536] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.536] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.536] GetProcessHeap () returned 0xa10000 [0286.536] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12b20) returned 0xa3e6a0 [0286.536] GetSystemDefaultLangID () returned 0xa20409 [0286.536] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.536] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x12b20, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x12b20, lpOverlapped=0x0) returned 1 [0286.541] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.542] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x12b20, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x12b20, lpOverlapped=0x0) returned 1 [0286.542] GetProcessHeap () returned 0xa10000 [0286.542] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.542] CloseHandle (hObject=0x26c) returned 1 [0286.543] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0286.543] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.543] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.543] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.543] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\habGbXHPlCJ2AejsDTV.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\habgbxhplcj2aejsdtv.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\habGbXHPlCJ2AejsDTV.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\habgbxhplcj2aejsdtv.bmp.nefilim")) returned 1 [0286.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0286.545] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaded3170, ftCreationTime.dwHighDateTime=0x1d5e538, ftLastAccessTime.dwLowDateTime=0x92b9cbe0, ftLastAccessTime.dwHighDateTime=0x1d5e7e3, ftLastWriteTime.dwLowDateTime=0x92b9cbe0, ftLastWriteTime.dwHighDateTime=0x1d5e7e3, nFileSizeHigh=0x0, nFileSizeLow=0x11fbe, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="hcWig.avi", cAlternateFileName="")) returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2=".") returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="..") returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="...") returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="windows") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="$RECYCLE.BIN") returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="rsa") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="NTDETECT.COM") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="ntldr") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="MSDOS.SYS") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="IO.SYS") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="boot.ini") returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="AUTOEXEC.BAT") returned 1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="ntuser.dat") returned -1 [0286.545] lstrcmpiW (lpString1="hcWig.avi", lpString2="desktop.ini") returned 1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="CONFIG.SYS") returned 1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="RECYCLER") returned -1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="BOOTSECT.BAK") returned 1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="bootmgr") returned 1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="programdata") returned -1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="appdata") returned 1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="program files") returned -1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="program files (x86)") returned -1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="microsoft") returned -1 [0286.546] lstrcmpiW (lpString1="hcWig.avi", lpString2="sophos") returned -1 [0286.546] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.546] PathFindExtensionW (pszPath="hcWig.avi") returned=".avi" [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0286.546] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0286.547] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0286.547] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0286.547] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0286.547] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0286.547] lstrcmpiW (lpString1="hcWig.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.547] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hcWig.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\hcwig.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.547] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=73662) returned 1 [0286.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.547] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.547] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.547] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.548] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.550] GetTickCount () returned 0x1187bd5 [0286.550] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.550] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.550] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11fbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.550] SetLastError (dwErrCode=0x0) [0286.550] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.551] GetLastError () returned 0x0 [0286.551] GetLastError () returned 0x0 [0286.551] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x120be, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.552] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.552] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x121be, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.552] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd11e5183, dwHighDateTime=0x1d5fd73)) [0286.552] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.552] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.552] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.552] GetProcessHeap () returned 0xa10000 [0286.552] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11fbe) returned 0xa3e6a0 [0286.553] GetSystemDefaultLangID () returned 0xa20409 [0286.553] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.553] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x11fbe, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x11fbe, lpOverlapped=0x0) returned 1 [0286.559] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.559] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x11fbe, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x11fbe, lpOverlapped=0x0) returned 1 [0286.559] GetProcessHeap () returned 0xa10000 [0286.559] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.560] CloseHandle (hObject=0x26c) returned 1 [0286.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.561] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.561] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.561] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\hcWig.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\hcwig.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\hcWig.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\hcwig.avi.nefilim")) returned 1 [0286.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.562] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbec799d0, ftCreationTime.dwHighDateTime=0x1d5ecdc, ftLastAccessTime.dwLowDateTime=0x58ec38c0, ftLastAccessTime.dwHighDateTime=0x1d5ee2e, ftLastWriteTime.dwLowDateTime=0x58ec38c0, ftLastWriteTime.dwHighDateTime=0x1d5ee2e, nFileSizeHigh=0x0, nFileSizeLow=0xcf51, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="HvzW.xls", cAlternateFileName="")) returned 1 [0286.562] lstrcmpiW (lpString1="HvzW.xls", lpString2=".") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="..") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="...") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="windows") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="$RECYCLE.BIN") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="rsa") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="NTDETECT.COM") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="ntldr") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="MSDOS.SYS") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="IO.SYS") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="boot.ini") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="AUTOEXEC.BAT") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="ntuser.dat") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="desktop.ini") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="CONFIG.SYS") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="RECYCLER") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="BOOTSECT.BAK") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="bootmgr") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="programdata") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="appdata") returned 1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="program files") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="program files (x86)") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="microsoft") returned -1 [0286.563] lstrcmpiW (lpString1="HvzW.xls", lpString2="sophos") returned -1 [0286.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.564] PathFindExtensionW (pszPath="HvzW.xls") returned=".xls" [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0286.564] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0286.564] lstrcmpiW (lpString1="HvzW.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HvzW.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\hvzw.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.565] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=53073) returned 1 [0286.565] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.565] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.565] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.565] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.565] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.566] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.567] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.567] GetTickCount () returned 0x1187be4 [0286.567] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.567] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.567] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcf51, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.567] SetLastError (dwErrCode=0x0) [0286.567] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.569] GetLastError () returned 0x0 [0286.569] GetLastError () returned 0x0 [0286.569] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd051, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.569] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.569] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd151, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.569] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd120b48e, dwHighDateTime=0x1d5fd73)) [0286.569] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.569] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.569] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.569] GetProcessHeap () returned 0xa10000 [0286.569] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xcf51) returned 0xa3e6a0 [0286.569] GetSystemDefaultLangID () returned 0xa20409 [0286.569] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.569] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xcf51, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xcf51, lpOverlapped=0x0) returned 1 [0286.573] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.573] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xcf51, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xcf51, lpOverlapped=0x0) returned 1 [0286.573] GetProcessHeap () returned 0xa10000 [0286.573] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.575] CloseHandle (hObject=0x26c) returned 1 [0286.575] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.575] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.575] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.576] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.576] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.576] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\HvzW.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\hvzw.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\HvzW.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\hvzw.xls.nefilim")) returned 1 [0286.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.577] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479c9690, ftCreationTime.dwHighDateTime=0x1d5e23b, ftLastAccessTime.dwLowDateTime=0x56ddbab0, ftLastAccessTime.dwHighDateTime=0x1d5e323, ftLastWriteTime.dwLowDateTime=0x56ddbab0, ftLastWriteTime.dwHighDateTime=0x1d5e323, nFileSizeHigh=0x0, nFileSizeLow=0xfd27, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="Ihhvbbw2.png", cAlternateFileName="")) returned 1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2=".") returned 1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="..") returned 1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="...") returned 1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="windows") returned -1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="$RECYCLE.BIN") returned 1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="rsa") returned -1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="NTDETECT.COM") returned -1 [0286.577] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="ntldr") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="MSDOS.SYS") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="IO.SYS") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="boot.ini") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="AUTOEXEC.BAT") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="ntuser.dat") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="desktop.ini") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="CONFIG.SYS") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="RECYCLER") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="BOOTSECT.BAK") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="bootmgr") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="programdata") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="appdata") returned 1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="program files") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="program files (x86)") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="microsoft") returned -1 [0286.578] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="sophos") returned -1 [0286.578] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.578] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.578] PathFindExtensionW (pszPath="Ihhvbbw2.png") returned=".png" [0286.578] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0286.578] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0286.578] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0286.578] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0286.579] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0286.579] lstrcmpiW (lpString1="Ihhvbbw2.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.579] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Ihhvbbw2.png" (normalized: "c:\\users\\fd1hvy\\desktop\\ihhvbbw2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.579] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=64807) returned 1 [0286.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.580] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.580] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0286.580] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.582] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.582] GetTickCount () returned 0x1187bf4 [0286.582] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.582] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.582] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xfd27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.582] SetLastError (dwErrCode=0x0) [0286.582] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.583] GetLastError () returned 0x0 [0286.584] GetLastError () returned 0x0 [0286.584] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xfe27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.584] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.584] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xff27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.584] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd12315d1, dwHighDateTime=0x1d5fd73)) [0286.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.584] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.584] GetProcessHeap () returned 0xa10000 [0286.584] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xfd27) returned 0xa3e6a0 [0286.584] GetSystemDefaultLangID () returned 0xa20409 [0286.584] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.584] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xfd27, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xfd27, lpOverlapped=0x0) returned 1 [0286.589] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.589] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xfd27, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xfd27, lpOverlapped=0x0) returned 1 [0286.590] GetProcessHeap () returned 0xa10000 [0286.590] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.590] CloseHandle (hObject=0x26c) returned 1 [0286.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0286.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.591] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Ihhvbbw2.png" (normalized: "c:\\users\\fd1hvy\\desktop\\ihhvbbw2.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Ihhvbbw2.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\ihhvbbw2.png.nefilim")) returned 1 [0286.593] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.593] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.593] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24564e80, ftCreationTime.dwHighDateTime=0x1d5fd73, ftLastAccessTime.dwLowDateTime=0x24564e80, ftLastAccessTime.dwHighDateTime=0x1d5fd73, ftLastWriteTime.dwLowDateTime=0xdb040000, ftLastWriteTime.dwHighDateTime=0x1d5fd6e, nFileSizeHigh=0x0, nFileSizeLow=0x5ab400, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="kinodomino.exe", cAlternateFileName="KINODO~1.EXE")) returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2=".") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="..") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="...") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="windows") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="$RECYCLE.BIN") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="rsa") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="NTDETECT.COM") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="ntldr") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="MSDOS.SYS") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="IO.SYS") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="boot.ini") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="AUTOEXEC.BAT") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="ntuser.dat") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="desktop.ini") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="CONFIG.SYS") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="RECYCLER") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="BOOTSECT.BAK") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="bootmgr") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="programdata") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="appdata") returned 1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="program files") returned -1 [0286.593] lstrcmpiW (lpString1="kinodomino.exe", lpString2="program files (x86)") returned -1 [0286.594] lstrcmpiW (lpString1="kinodomino.exe", lpString2="microsoft") returned -1 [0286.594] lstrcmpiW (lpString1="kinodomino.exe", lpString2="sophos") returned -1 [0286.594] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.594] PathFindExtensionW (pszPath="kinodomino.exe") returned=".exe" [0286.594] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0286.594] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7544ac80, ftCreationTime.dwHighDateTime=0x1d5e845, ftLastAccessTime.dwLowDateTime=0xa7693200, ftLastAccessTime.dwHighDateTime=0x1d5e8ed, ftLastWriteTime.dwLowDateTime=0xa7693200, ftLastWriteTime.dwHighDateTime=0x1d5e8ed, nFileSizeHigh=0x0, nFileSizeLow=0x14ffa, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="KzytOKTu.ods", cAlternateFileName="")) returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2=".") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="..") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="...") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="windows") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="$RECYCLE.BIN") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="rsa") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="NTDETECT.COM") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="ntldr") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="MSDOS.SYS") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="IO.SYS") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="boot.ini") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="AUTOEXEC.BAT") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="ntuser.dat") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="desktop.ini") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="CONFIG.SYS") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="RECYCLER") returned -1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="BOOTSECT.BAK") returned 1 [0286.594] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="bootmgr") returned 1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="programdata") returned -1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="appdata") returned 1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="program files") returned -1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="program files (x86)") returned -1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="microsoft") returned -1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="sophos") returned -1 [0286.595] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.595] PathFindExtensionW (pszPath="KzytOKTu.ods") returned=".ods" [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".NEFILIM") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0286.595] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0286.595] lstrcmpiW (lpString1="KzytOKTu.ods", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.596] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\KzytOKTu.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\kzytoktu.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.596] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=86010) returned 1 [0286.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.596] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.612] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.612] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.612] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.612] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.614] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.616] GetTickCount () returned 0x1187c13 [0286.616] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.616] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.616] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14ffa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.616] SetLastError (dwErrCode=0x0) [0286.616] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.617] GetLastError () returned 0x0 [0286.618] GetLastError () returned 0x0 [0286.618] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x150fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.618] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.618] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x151fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.618] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd127db9f, dwHighDateTime=0x1d5fd73)) [0286.618] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.618] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.618] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.618] GetProcessHeap () returned 0xa10000 [0286.618] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14ffa) returned 0xa3e6a0 [0286.618] GetSystemDefaultLangID () returned 0xa20409 [0286.618] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.618] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x14ffa, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x14ffa, lpOverlapped=0x0) returned 1 [0286.624] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.625] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x14ffa, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x14ffa, lpOverlapped=0x0) returned 1 [0286.625] GetProcessHeap () returned 0xa10000 [0286.625] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.625] CloseHandle (hObject=0x26c) returned 1 [0286.626] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.626] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.626] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.626] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.626] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.627] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\KzytOKTu.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\kzytoktu.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\KzytOKTu.ods.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\kzytoktu.ods.nefilim")) returned 1 [0286.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.629] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ea99d30, ftCreationTime.dwHighDateTime=0x1d5e57f, ftLastAccessTime.dwLowDateTime=0xaff6e360, ftLastAccessTime.dwHighDateTime=0x1d5e233, ftLastWriteTime.dwLowDateTime=0xaff6e360, ftLastWriteTime.dwHighDateTime=0x1d5e233, nFileSizeHigh=0x0, nFileSizeLow=0x2161, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="n6Nv7wjug0jftneZvMA.mp4", cAlternateFileName="N6NV7W~1.MP4")) returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2=".") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="..") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="...") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="windows") returned -1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="$RECYCLE.BIN") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="rsa") returned -1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="NTDETECT.COM") returned -1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="ntldr") returned -1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="MSDOS.SYS") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="IO.SYS") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="boot.ini") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="ntuser.dat") returned -1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="desktop.ini") returned 1 [0286.629] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="CONFIG.SYS") returned 1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="RECYCLER") returned -1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="BOOTSECT.BAK") returned 1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="bootmgr") returned 1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="programdata") returned -1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="appdata") returned 1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="program files") returned -1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="program files (x86)") returned -1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="microsoft") returned 1 [0286.630] lstrcmpiW (lpString1="n6Nv7wjug0jftneZvMA.mp4", lpString2="sophos") returned -1 [0286.630] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.630] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.630] PathFindExtensionW (pszPath="n6Nv7wjug0jftneZvMA.mp4") returned=".mp4" [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0286.630] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0286.631] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc09075b0, ftCreationTime.dwHighDateTime=0x1d5e607, ftLastAccessTime.dwLowDateTime=0x89a2b630, ftLastAccessTime.dwHighDateTime=0x1d5eb2f, ftLastWriteTime.dwLowDateTime=0x89a2b630, ftLastWriteTime.dwHighDateTime=0x1d5eb2f, nFileSizeHigh=0x0, nFileSizeLow=0xe8f7, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="ogAPCN_WK.wav", cAlternateFileName="OGAPCN~1.WAV")) returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2=".") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="..") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="...") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="windows") returned -1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="$RECYCLE.BIN") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="rsa") returned -1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="NTDETECT.COM") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="ntldr") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="MSDOS.SYS") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="IO.SYS") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="boot.ini") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="AUTOEXEC.BAT") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="ntuser.dat") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="desktop.ini") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="CONFIG.SYS") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="RECYCLER") returned -1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="BOOTSECT.BAK") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="bootmgr") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="programdata") returned -1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="appdata") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="program files") returned -1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="program files (x86)") returned -1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="microsoft") returned 1 [0286.631] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="sophos") returned -1 [0286.631] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.632] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.632] PathFindExtensionW (pszPath="ogAPCN_WK.wav") returned=".wav" [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0286.632] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0286.632] lstrcmpiW (lpString1="ogAPCN_WK.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.632] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.632] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ogAPCN_WK.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\ogapcn_wk.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.633] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=59639) returned 1 [0286.633] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.633] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.633] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.633] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.633] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0286.633] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.633] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.634] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.634] GetTickCount () returned 0x1187c23 [0286.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.634] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe8f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.634] SetLastError (dwErrCode=0x0) [0286.634] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.635] GetLastError () returned 0x0 [0286.635] GetLastError () returned 0x0 [0286.635] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe9f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.635] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.635] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xeaf7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.636] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd12a3cfd, dwHighDateTime=0x1d5fd73)) [0286.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.636] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.636] GetProcessHeap () returned 0xa10000 [0286.636] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe8f7) returned 0xa3e6a0 [0286.636] GetSystemDefaultLangID () returned 0xa20409 [0286.636] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.636] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xe8f7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xe8f7, lpOverlapped=0x0) returned 1 [0286.640] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.640] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xe8f7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xe8f7, lpOverlapped=0x0) returned 1 [0286.640] GetProcessHeap () returned 0xa10000 [0286.640] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.640] CloseHandle (hObject=0x26c) returned 1 [0286.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0286.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.641] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.641] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ogAPCN_WK.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\ogapcn_wk.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ogAPCN_WK.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\ogapcn_wk.wav.nefilim")) returned 1 [0286.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.643] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7fa3cb0, ftCreationTime.dwHighDateTime=0x1d5e4a7, ftLastAccessTime.dwLowDateTime=0x58321700, ftLastAccessTime.dwHighDateTime=0x1d5e7cc, ftLastWriteTime.dwLowDateTime=0x58321700, ftLastWriteTime.dwHighDateTime=0x1d5e7cc, nFileSizeHigh=0x0, nFileSizeLow=0x1360c, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="pn1bMWlRT oPs4I.mp3", cAlternateFileName="PN1BMW~1.MP3")) returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2=".") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="..") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="...") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="windows") returned -1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="$RECYCLE.BIN") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="rsa") returned -1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="NTDETECT.COM") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="ntldr") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="MSDOS.SYS") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="IO.SYS") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="boot.ini") returned 1 [0286.643] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="ntuser.dat") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="desktop.ini") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="CONFIG.SYS") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="RECYCLER") returned -1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="BOOTSECT.BAK") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="bootmgr") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="programdata") returned -1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="appdata") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="program files") returned -1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="program files (x86)") returned -1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="microsoft") returned 1 [0286.644] lstrcmpiW (lpString1="pn1bMWlRT oPs4I.mp3", lpString2="sophos") returned -1 [0286.644] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.644] PathFindExtensionW (pszPath="pn1bMWlRT oPs4I.mp3") returned=".mp3" [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0286.644] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0286.644] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa794bbe0, ftCreationTime.dwHighDateTime=0x1d5eeed, ftLastAccessTime.dwLowDateTime=0x42fe6fc0, ftLastAccessTime.dwHighDateTime=0x1d5ea72, ftLastWriteTime.dwLowDateTime=0x42fe6fc0, ftLastWriteTime.dwHighDateTime=0x1d5ea72, nFileSizeHigh=0x0, nFileSizeLow=0x55a7, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="r2xsONAXlt.odt", cAlternateFileName="R2XSON~1.ODT")) returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2=".") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="..") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="...") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="windows") returned -1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="$RECYCLE.BIN") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="rsa") returned -1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="NTDETECT.COM") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="ntldr") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="MSDOS.SYS") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="IO.SYS") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="boot.ini") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="AUTOEXEC.BAT") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="ntuser.dat") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="desktop.ini") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="CONFIG.SYS") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="RECYCLER") returned -1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="BOOTSECT.BAK") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="bootmgr") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="programdata") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="appdata") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="program files") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="program files (x86)") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="microsoft") returned 1 [0286.645] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="sophos") returned -1 [0286.645] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.645] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.646] PathFindExtensionW (pszPath="r2xsONAXlt.odt") returned=".odt" [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".NEFILIM") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0286.646] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0286.646] lstrcmpiW (lpString1="r2xsONAXlt.odt", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.646] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\r2xsONAXlt.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\r2xsonaxlt.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.647] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=21927) returned 1 [0286.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.647] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.647] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.647] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.648] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.648] GetTickCount () returned 0x1187c33 [0286.648] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.648] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.648] SetLastError (dwErrCode=0x0) [0286.648] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.649] GetLastError () returned 0x0 [0286.649] GetLastError () returned 0x0 [0286.649] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x56a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.649] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.650] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x57a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.650] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd12c9f39, dwHighDateTime=0x1d5fd73)) [0286.650] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.650] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.650] GetProcessHeap () returned 0xa10000 [0286.650] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x55a7) returned 0xa3e6a0 [0286.650] GetSystemDefaultLangID () returned 0xa20409 [0286.650] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.650] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x55a7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x55a7, lpOverlapped=0x0) returned 1 [0286.651] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.651] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x55a7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x55a7, lpOverlapped=0x0) returned 1 [0286.652] GetProcessHeap () returned 0xa10000 [0286.652] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.652] CloseHandle (hObject=0x26c) returned 1 [0286.653] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.653] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.653] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.653] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.653] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\r2xsONAXlt.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\r2xsonaxlt.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\r2xsONAXlt.odt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\r2xsonaxlt.odt.nefilim")) returned 1 [0286.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.655] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.655] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a52330, ftCreationTime.dwHighDateTime=0x1d5ed54, ftLastAccessTime.dwLowDateTime=0xc8df4690, ftLastAccessTime.dwHighDateTime=0x1d5efe6, ftLastWriteTime.dwLowDateTime=0xc8df4690, ftLastWriteTime.dwHighDateTime=0x1d5efe6, nFileSizeHigh=0x0, nFileSizeLow=0x14dee, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="Rc4OLOx.odp", cAlternateFileName="")) returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2=".") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="..") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="...") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="windows") returned -1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="$RECYCLE.BIN") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="rsa") returned -1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="NTDETECT.COM") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="ntldr") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="MSDOS.SYS") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="IO.SYS") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="boot.ini") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="AUTOEXEC.BAT") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="ntuser.dat") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="desktop.ini") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="CONFIG.SYS") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="RECYCLER") returned -1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="BOOTSECT.BAK") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="bootmgr") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="programdata") returned 1 [0286.655] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="appdata") returned 1 [0286.656] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="program files") returned 1 [0286.656] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="program files (x86)") returned 1 [0286.656] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="microsoft") returned 1 [0286.656] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="sophos") returned -1 [0286.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.656] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.656] PathFindExtensionW (pszPath="Rc4OLOx.odp") returned=".odp" [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0286.656] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0286.656] lstrcmpiW (lpString1="Rc4OLOx.odp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.657] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Rc4OLOx.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\rc4olox.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.657] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=85486) returned 1 [0286.657] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.657] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.657] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.657] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.657] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0286.657] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.657] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.658] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.659] GetTickCount () returned 0x1187c42 [0286.659] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.659] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.660] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14dee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.660] SetLastError (dwErrCode=0x0) [0286.660] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.661] GetLastError () returned 0x0 [0286.661] GetLastError () returned 0x0 [0286.661] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14eee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.661] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.661] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14fee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.661] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd12f01dc, dwHighDateTime=0x1d5fd73)) [0286.661] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.661] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.661] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.661] GetProcessHeap () returned 0xa10000 [0286.661] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14dee) returned 0xa3e6a0 [0286.662] GetSystemDefaultLangID () returned 0xa20409 [0286.663] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.663] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x14dee, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x14dee, lpOverlapped=0x0) returned 1 [0286.669] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.669] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x14dee, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x14dee, lpOverlapped=0x0) returned 1 [0286.670] GetProcessHeap () returned 0xa10000 [0286.670] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.670] CloseHandle (hObject=0x26c) returned 1 [0286.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0286.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.673] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.673] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.673] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Rc4OLOx.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\rc4olox.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Rc4OLOx.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\rc4olox.odp.nefilim")) returned 1 [0286.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.675] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.675] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc820cc0, ftCreationTime.dwHighDateTime=0x1d5e29a, ftLastAccessTime.dwLowDateTime=0x1ec27cd0, ftLastAccessTime.dwHighDateTime=0x1d5eb6e, ftLastWriteTime.dwLowDateTime=0x1ec27cd0, ftLastWriteTime.dwHighDateTime=0x1d5eb6e, nFileSizeHigh=0x0, nFileSizeLow=0x127ba, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="TlmzV6L6yympAwUypAg.avi", cAlternateFileName="TLMZV6~1.AVI")) returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2=".") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="..") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="...") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="windows") returned -1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="$RECYCLE.BIN") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="rsa") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="NTDETECT.COM") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="ntldr") returned 1 [0286.675] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="MSDOS.SYS") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="IO.SYS") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="boot.ini") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="AUTOEXEC.BAT") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="ntuser.dat") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="desktop.ini") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="CONFIG.SYS") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="RECYCLER") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="BOOTSECT.BAK") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="bootmgr") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="programdata") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="appdata") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="program files") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="program files (x86)") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="microsoft") returned 1 [0286.676] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="sophos") returned 1 [0286.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.676] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.676] PathFindExtensionW (pszPath="TlmzV6L6yympAwUypAg.avi") returned=".avi" [0286.676] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0286.676] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0286.676] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0286.676] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0286.676] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0286.676] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0286.677] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0286.677] lstrcmpiW (lpString1="TlmzV6L6yympAwUypAg.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.677] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\TlmzV6L6yympAwUypAg.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\tlmzv6l6yympawuypag.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.677] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=75706) returned 1 [0286.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.677] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0286.678] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.678] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0286.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.678] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.678] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.678] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.679] GetTickCount () returned 0x1187c52 [0286.679] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe08 [0286.679] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.679] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x127ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.679] SetLastError (dwErrCode=0x0) [0286.679] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.680] GetLastError () returned 0x0 [0286.680] GetLastError () returned 0x0 [0286.680] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x128ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.680] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.680] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x129ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.680] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd13162be, dwHighDateTime=0x1d5fd73)) [0286.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe08 [0286.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.680] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.681] GetProcessHeap () returned 0xa10000 [0286.681] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x127ba) returned 0xa3e6a0 [0286.681] GetSystemDefaultLangID () returned 0xa20409 [0286.681] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.681] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x127ba, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x127ba, lpOverlapped=0x0) returned 1 [0286.686] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.686] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x127ba, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x127ba, lpOverlapped=0x0) returned 1 [0286.686] GetProcessHeap () returned 0xa10000 [0286.686] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.686] CloseHandle (hObject=0x26c) returned 1 [0286.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0286.687] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.687] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\TlmzV6L6yympAwUypAg.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\tlmzv6l6yympawuypag.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\TlmzV6L6yympAwUypAg.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\tlmzv6l6yympawuypag.avi.nefilim")) returned 1 [0286.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.689] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b582b0, ftCreationTime.dwHighDateTime=0x1d5e375, ftLastAccessTime.dwLowDateTime=0x8771a3d0, ftLastAccessTime.dwHighDateTime=0x1d5e5e9, ftLastWriteTime.dwLowDateTime=0x8771a3d0, ftLastWriteTime.dwHighDateTime=0x1d5e5e9, nFileSizeHigh=0x0, nFileSizeLow=0x141a5, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="ToAXlzjnavzV2i55.ots", cAlternateFileName="TOAXLZ~1.OTS")) returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2=".") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="..") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="...") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="windows") returned -1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="$RECYCLE.BIN") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="rsa") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="NTDETECT.COM") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="ntldr") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="MSDOS.SYS") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="IO.SYS") returned 1 [0286.689] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="boot.ini") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="AUTOEXEC.BAT") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="ntuser.dat") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="desktop.ini") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="CONFIG.SYS") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="RECYCLER") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="BOOTSECT.BAK") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="bootmgr") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="programdata") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="appdata") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="program files") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="program files (x86)") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="microsoft") returned 1 [0286.690] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="sophos") returned 1 [0286.690] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.690] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.690] PathFindExtensionW (pszPath="ToAXlzjnavzV2i55.ots") returned=".ots" [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0286.690] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".NEFILIM") returned 1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0286.691] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0286.691] lstrcmpiW (lpString1="ToAXlzjnavzV2i55.ots", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe08 [0286.691] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ToAXlzjnavzV2i55.ots" (normalized: "c:\\users\\fd1hvy\\desktop\\toaxlzjnavzv2i55.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.691] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=82341) returned 1 [0286.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.691] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.691] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.691] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.692] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.692] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.692] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.693] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.695] GetTickCount () returned 0x1187c61 [0286.695] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe70 [0286.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.695] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x141a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.695] SetLastError (dwErrCode=0x0) [0286.696] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.697] GetLastError () returned 0x0 [0286.697] GetLastError () returned 0x0 [0286.697] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x142a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.697] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.697] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x143a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.697] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd133c62b, dwHighDateTime=0x1d5fd73)) [0286.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe70 [0286.697] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.697] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.697] GetProcessHeap () returned 0xa10000 [0286.697] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x141a5) returned 0xa3e6a0 [0286.697] GetSystemDefaultLangID () returned 0xa20409 [0286.697] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.697] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x141a5, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x141a5, lpOverlapped=0x0) returned 1 [0286.704] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.704] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x141a5, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x141a5, lpOverlapped=0x0) returned 1 [0286.704] GetProcessHeap () returned 0xa10000 [0286.704] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.704] CloseHandle (hObject=0x26c) returned 1 [0286.705] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.706] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.706] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.706] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.706] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0286.706] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ToAXlzjnavzV2i55.ots" (normalized: "c:\\users\\fd1hvy\\desktop\\toaxlzjnavzv2i55.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ToAXlzjnavzV2i55.ots.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\toaxlzjnavzv2i55.ots.nefilim")) returned 1 [0286.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.708] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43ed1720, ftCreationTime.dwHighDateTime=0x1d5e7a1, ftLastAccessTime.dwLowDateTime=0x2a2d7e00, ftLastAccessTime.dwHighDateTime=0x1d5ee4b, ftLastWriteTime.dwLowDateTime=0x2a2d7e00, ftLastWriteTime.dwHighDateTime=0x1d5ee4b, nFileSizeHigh=0x0, nFileSizeLow=0x67ab, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="Utac7s8EeSVupk.gif", cAlternateFileName="UTAC7S~1.GIF")) returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2=".") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="..") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="...") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="windows") returned -1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="$RECYCLE.BIN") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="rsa") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="NTDETECT.COM") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="ntldr") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="MSDOS.SYS") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="IO.SYS") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="boot.ini") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="AUTOEXEC.BAT") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="ntuser.dat") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="desktop.ini") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="CONFIG.SYS") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="RECYCLER") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="BOOTSECT.BAK") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="bootmgr") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="programdata") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="appdata") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="program files") returned 1 [0286.708] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="program files (x86)") returned 1 [0286.709] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="microsoft") returned 1 [0286.709] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="sophos") returned 1 [0286.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe08 [0286.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.709] PathFindExtensionW (pszPath="Utac7s8EeSVupk.gif") returned=".gif" [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0286.709] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0286.709] lstrcmpiW (lpString1="Utac7s8EeSVupk.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbda0 [0286.709] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Utac7s8EeSVupk.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\utac7s8eesvupk.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.710] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=26539) returned 1 [0286.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.710] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.710] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0286.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0286.710] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.711] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.712] GetTickCount () returned 0x1187c71 [0286.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe70 [0286.712] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.712] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x67ab, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.713] SetLastError (dwErrCode=0x0) [0286.713] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.714] GetLastError () returned 0x0 [0286.714] GetLastError () returned 0x0 [0286.714] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x68ab, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.714] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.714] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x69ab, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.714] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd13629c8, dwHighDateTime=0x1d5fd73)) [0286.714] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe70 [0286.714] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.714] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.714] GetProcessHeap () returned 0xa10000 [0286.714] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x67ab) returned 0xa3e6a0 [0286.715] GetSystemDefaultLangID () returned 0xa20409 [0286.715] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.715] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x67ab, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x67ab, lpOverlapped=0x0) returned 1 [0286.717] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.717] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x67ab, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x67ab, lpOverlapped=0x0) returned 1 [0286.718] GetProcessHeap () returned 0xa10000 [0286.718] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.718] CloseHandle (hObject=0x26c) returned 1 [0286.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0286.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0286.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.719] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0286.719] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Utac7s8EeSVupk.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\utac7s8eesvupk.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Utac7s8EeSVupk.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\utac7s8eesvupk.gif.nefilim")) returned 1 [0286.720] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0286.720] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.720] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502b43e0, ftCreationTime.dwHighDateTime=0x1d5e76a, ftLastAccessTime.dwLowDateTime=0xc6fe25b0, ftLastAccessTime.dwHighDateTime=0x1d5e67e, ftLastWriteTime.dwLowDateTime=0xc6fe25b0, ftLastWriteTime.dwHighDateTime=0x1d5e67e, nFileSizeHigh=0x0, nFileSizeLow=0x475c, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="v4x5gsbD.swf", cAlternateFileName="")) returned 1 [0286.720] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2=".") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="..") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="...") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="windows") returned -1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="$RECYCLE.BIN") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="rsa") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="NTDETECT.COM") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="ntldr") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="MSDOS.SYS") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="IO.SYS") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="boot.ini") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="AUTOEXEC.BAT") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="ntuser.dat") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="desktop.ini") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="CONFIG.SYS") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="RECYCLER") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="BOOTSECT.BAK") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="bootmgr") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="programdata") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="appdata") returned 1 [0286.721] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="program files") returned 1 [0286.722] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="program files (x86)") returned 1 [0286.722] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="microsoft") returned 1 [0286.722] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="sophos") returned 1 [0286.722] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.722] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0286.722] PathFindExtensionW (pszPath="v4x5gsbD.swf") returned=".swf" [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0286.722] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0286.724] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0286.724] lstrcmpiW (lpString1="v4x5gsbD.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0286.724] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf8 [0286.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\v4x5gsbD.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\v4x5gsbd.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.725] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=18268) returned 1 [0286.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.725] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.725] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0286.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0286.725] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.727] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.729] GetTickCount () returned 0x1187c81 [0286.729] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe50 [0286.729] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.729] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x475c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.729] SetLastError (dwErrCode=0x0) [0286.729] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.730] GetLastError () returned 0x0 [0286.730] GetLastError () returned 0x0 [0286.730] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x485c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.730] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.730] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x495c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.730] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd139f926, dwHighDateTime=0x1d5fd73)) [0286.731] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe50 [0286.731] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.731] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.731] GetProcessHeap () returned 0xa10000 [0286.731] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x475c) returned 0xa3e6a0 [0286.731] GetSystemDefaultLangID () returned 0xa20409 [0286.731] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.731] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x475c, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x475c, lpOverlapped=0x0) returned 1 [0286.733] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.733] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x475c, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x475c, lpOverlapped=0x0) returned 1 [0286.733] GetProcessHeap () returned 0xa10000 [0286.733] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.733] CloseHandle (hObject=0x26c) returned 1 [0286.735] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0286.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0286.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.736] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.736] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0286.736] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\v4x5gsbD.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\v4x5gsbd.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\v4x5gsbD.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\v4x5gsbd.swf.nefilim")) returned 1 [0286.738] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0286.738] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.738] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf78ac60, ftCreationTime.dwHighDateTime=0x1d5e8ba, ftLastAccessTime.dwLowDateTime=0x4d4a4d00, ftLastAccessTime.dwHighDateTime=0x1d5e225, ftLastWriteTime.dwLowDateTime=0x4d4a4d00, ftLastWriteTime.dwHighDateTime=0x1d5e225, nFileSizeHigh=0x0, nFileSizeLow=0xf575, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="vG55LaaR9SmTe2pxSD.mp3", cAlternateFileName="VG55LA~1.MP3")) returned 1 [0286.738] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2=".") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="..") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="...") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="windows") returned -1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="$RECYCLE.BIN") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="rsa") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="NTDETECT.COM") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="ntldr") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="MSDOS.SYS") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="IO.SYS") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="boot.ini") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="ntuser.dat") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="desktop.ini") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="CONFIG.SYS") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="RECYCLER") returned 1 [0286.739] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="BOOTSECT.BAK") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="bootmgr") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="programdata") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="appdata") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="program files") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="program files (x86)") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="microsoft") returned 1 [0286.741] lstrcmpiW (lpString1="vG55LaaR9SmTe2pxSD.mp3", lpString2="sophos") returned 1 [0286.741] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0286.741] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.741] PathFindExtensionW (pszPath="vG55LaaR9SmTe2pxSD.mp3") returned=".mp3" [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0286.741] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0286.741] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca9ced80, ftCreationTime.dwHighDateTime=0x1d5e4a0, ftLastAccessTime.dwLowDateTime=0x381ea230, ftLastAccessTime.dwHighDateTime=0x1d5ebb4, ftLastWriteTime.dwLowDateTime=0x381ea230, ftLastWriteTime.dwHighDateTime=0x1d5ebb4, nFileSizeHigh=0x0, nFileSizeLow=0x1d98, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="voVGab-j2.mp3", cAlternateFileName="VOVGAB~1.MP3")) returned 1 [0286.741] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2=".") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="..") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="...") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="windows") returned -1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="$RECYCLE.BIN") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="rsa") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="NTDETECT.COM") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="ntldr") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="MSDOS.SYS") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="IO.SYS") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="boot.ini") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="ntuser.dat") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="desktop.ini") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="CONFIG.SYS") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="RECYCLER") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="BOOTSECT.BAK") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="bootmgr") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="programdata") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="appdata") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="program files") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="program files (x86)") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="microsoft") returned 1 [0286.742] lstrcmpiW (lpString1="voVGab-j2.mp3", lpString2="sophos") returned 1 [0286.742] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbda0 [0286.742] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0286.742] PathFindExtensionW (pszPath="voVGab-j2.mp3") returned=".mp3" [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0286.829] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0286.829] FindNextFileW (in: hFindFile=0xa2f4a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca9ced80, ftCreationTime.dwHighDateTime=0x1d5e4a0, ftLastAccessTime.dwLowDateTime=0x381ea230, ftLastAccessTime.dwHighDateTime=0x1d5ebb4, ftLastWriteTime.dwLowDateTime=0x381ea230, ftLastWriteTime.dwHighDateTime=0x1d5ebb4, nFileSizeHigh=0x0, nFileSizeLow=0x1d98, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="voVGab-j2.mp3", cAlternateFileName="VOVGAB~1.MP3")) returned 0 [0286.829] FindClose (in: hFindFile=0xa2f4a0 | out: hFindFile=0xa2f4a0) returned 1 [0286.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0286.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0286.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0286.829] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe73fd394, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe73fd394, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0286.829] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0286.829] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0286.830] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0286.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0286.830] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0286.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd08 [0286.830] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd50 [0286.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0286.831] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe73fd394, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe73fd394, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0286.831] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0286.831] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe73fd394, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe73fd394, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0286.831] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0286.831] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0286.831] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef964b0, ftCreationTime.dwHighDateTime=0x1d59d6f, ftLastAccessTime.dwLowDateTime=0x9da2a990, ftLastAccessTime.dwHighDateTime=0x1d57c87, ftLastWriteTime.dwLowDateTime=0x9da2a990, ftLastWriteTime.dwHighDateTime=0x1d57c87, nFileSizeHigh=0x0, nFileSizeLow=0xe0c8, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="0f_49If268AV3cgp.docx", cAlternateFileName="0F_49I~1.DOC")) returned 1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2=".") returned 1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="..") returned 1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="...") returned 1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="windows") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="$RECYCLE.BIN") returned 1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="rsa") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="NTDETECT.COM") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="ntldr") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="MSDOS.SYS") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="IO.SYS") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="boot.ini") returned -1 [0286.831] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="AUTOEXEC.BAT") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="ntuser.dat") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="desktop.ini") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="CONFIG.SYS") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="RECYCLER") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="BOOTSECT.BAK") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="bootmgr") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="programdata") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="appdata") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="program files") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="program files (x86)") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="microsoft") returned -1 [0286.832] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="sophos") returned -1 [0286.832] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbde0 [0286.832] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.832] PathFindExtensionW (pszPath="0f_49If268AV3cgp.docx") returned=".docx" [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0286.832] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0286.833] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0286.833] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0286.833] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0286.833] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0286.833] lstrcmpiW (lpString1="0f_49If268AV3cgp.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe48 [0286.833] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\0f_49If268AV3cgp.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0f_49if268av3cgp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.833] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=57544) returned 1 [0286.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.833] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.833] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0286.833] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.834] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.834] GetTickCount () returned 0x1187cee [0286.834] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd98 [0286.834] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.834] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe0c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.834] SetLastError (dwErrCode=0x0) [0286.834] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.835] GetLastError () returned 0x0 [0286.835] GetLastError () returned 0x0 [0286.836] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe1c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.836] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.836] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe2c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.836] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd148e5ed, dwHighDateTime=0x1d5fd73)) [0286.836] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0286.836] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.836] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.836] GetProcessHeap () returned 0xa10000 [0286.836] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe0c8) returned 0xa3e6a0 [0286.836] GetSystemDefaultLangID () returned 0xa20409 [0286.836] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.836] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xe0c8, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xe0c8, lpOverlapped=0x0) returned 1 [0286.840] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.840] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xe0c8, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xe0c8, lpOverlapped=0x0) returned 1 [0286.841] GetProcessHeap () returned 0xa10000 [0286.841] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.841] CloseHandle (hObject=0x26c) returned 1 [0286.841] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.841] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0286.841] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.841] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.841] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0286.841] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\0f_49If268AV3cgp.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0f_49if268av3cgp.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\0f_49If268AV3cgp.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\0f_49if268av3cgp.docx.nefilim")) returned 1 [0286.842] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0286.842] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0286.842] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17c073a0, ftCreationTime.dwHighDateTime=0x1d5dab2, ftLastAccessTime.dwLowDateTime=0xc4464300, ftLastAccessTime.dwHighDateTime=0x1d58e29, ftLastWriteTime.dwLowDateTime=0xc4464300, ftLastWriteTime.dwHighDateTime=0x1d58e29, nFileSizeHigh=0x0, nFileSizeLow=0xd3c2, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="0XPAQPYm.docx", cAlternateFileName="0XPAQP~1.DOC")) returned 1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2=".") returned 1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="..") returned 1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="...") returned 1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="windows") returned -1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="$RECYCLE.BIN") returned 1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="rsa") returned -1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="NTDETECT.COM") returned -1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="ntldr") returned -1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="MSDOS.SYS") returned -1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="IO.SYS") returned -1 [0286.842] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="boot.ini") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="AUTOEXEC.BAT") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="ntuser.dat") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="desktop.ini") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="CONFIG.SYS") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="RECYCLER") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="BOOTSECT.BAK") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="bootmgr") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="programdata") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="appdata") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="program files") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="program files (x86)") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="microsoft") returned -1 [0286.843] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="sophos") returned -1 [0286.843] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe48 [0286.843] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde0 | out: hHeap=0x28d0000) returned 1 [0286.843] PathFindExtensionW (pszPath="0XPAQPYm.docx") returned=".docx" [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0286.843] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0286.844] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0286.844] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0286.844] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0286.844] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0286.844] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0286.844] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0286.844] lstrcmpiW (lpString1="0XPAQPYm.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbea0 [0286.844] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\0XPAQPYm.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0xpaqpym.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.892] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=54210) returned 1 [0286.892] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.893] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0286.893] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.893] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0286.893] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0286.893] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.893] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.893] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.894] GetTickCount () returned 0x1187d2d [0286.894] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd98 [0286.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.894] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd3c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.894] SetLastError (dwErrCode=0x0) [0286.894] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.896] GetLastError () returned 0x0 [0286.896] GetLastError () returned 0x0 [0286.896] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd4c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.896] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.897] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd5c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.897] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1526ed1, dwHighDateTime=0x1d5fd73)) [0286.897] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0286.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.897] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.898] GetProcessHeap () returned 0xa10000 [0286.898] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd3c2) returned 0xa3e6a0 [0286.898] GetSystemDefaultLangID () returned 0xa20409 [0286.898] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.898] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xd3c2, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xd3c2, lpOverlapped=0x0) returned 1 [0286.902] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.902] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xd3c2, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xd3c2, lpOverlapped=0x0) returned 1 [0286.902] GetProcessHeap () returned 0xa10000 [0286.902] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.904] CloseHandle (hObject=0x26c) returned 1 [0286.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0286.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.904] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0286.904] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0286.904] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\0XPAQPYm.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0xpaqpym.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\0XPAQPYm.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\0xpaqpym.docx.nefilim")) returned 1 [0286.905] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.905] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0286.905] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b957e40, ftCreationTime.dwHighDateTime=0x1d5b0c0, ftLastAccessTime.dwLowDateTime=0xa3c665b0, ftLastAccessTime.dwHighDateTime=0x1d5acc9, ftLastWriteTime.dwLowDateTime=0xa3c665b0, ftLastWriteTime.dwHighDateTime=0x1d5acc9, nFileSizeHigh=0x0, nFileSizeLow=0xaae, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="BcGmf0LkYXTRQsZU.docx", cAlternateFileName="BCGMF0~1.DOC")) returned 1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2=".") returned 1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="..") returned 1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="...") returned 1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="windows") returned -1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="$RECYCLE.BIN") returned 1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="rsa") returned -1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="NTDETECT.COM") returned -1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="ntldr") returned -1 [0286.905] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="MSDOS.SYS") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="IO.SYS") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="boot.ini") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="AUTOEXEC.BAT") returned 1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="ntuser.dat") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="desktop.ini") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="CONFIG.SYS") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="RECYCLER") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="BOOTSECT.BAK") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="bootmgr") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="programdata") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="appdata") returned 1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="program files") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="program files (x86)") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="microsoft") returned -1 [0286.906] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="sophos") returned -1 [0286.906] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbea0 [0286.906] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0286.906] PathFindExtensionW (pszPath="BcGmf0LkYXTRQsZU.docx") returned=".docx" [0286.906] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0286.906] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0286.906] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0286.906] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0286.906] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0286.910] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0286.911] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0286.911] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0286.911] lstrcmpiW (lpString1="BcGmf0LkYXTRQsZU.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0286.911] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\BcGmf0LkYXTRQsZU.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bcgmf0lkyxtrqszu.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.911] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=2734) returned 1 [0286.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.911] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.911] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.911] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.914] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.915] GetTickCount () returned 0x1187d3c [0286.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe00 [0286.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.915] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xaae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.915] SetLastError (dwErrCode=0x0) [0286.915] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.916] GetLastError () returned 0x0 [0286.916] GetLastError () returned 0x0 [0286.916] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.916] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.916] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd154d24f, dwHighDateTime=0x1d5fd73)) [0286.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0286.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.916] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.917] GetProcessHeap () returned 0xa10000 [0286.917] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xaae) returned 0xa34b88 [0286.917] GetSystemDefaultLangID () returned 0xa20409 [0286.917] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.917] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0xaae, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0xaae, lpOverlapped=0x0) returned 1 [0286.917] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.917] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0xaae, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0xaae, lpOverlapped=0x0) returned 1 [0286.917] GetProcessHeap () returned 0xa10000 [0286.917] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0286.917] CloseHandle (hObject=0x26c) returned 1 [0286.917] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.917] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.917] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.917] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.917] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe00 [0286.917] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\BcGmf0LkYXTRQsZU.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bcgmf0lkyxtrqszu.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\BcGmf0LkYXTRQsZU.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\bcgmf0lkyxtrqszu.docx.nefilim")) returned 1 [0286.918] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.918] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.918] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2=".") returned 1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2="..") returned 1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2="...") returned 1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2="windows") returned -1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2="$RECYCLE.BIN") returned 1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2="rsa") returned -1 [0286.918] lstrcmpiW (lpString1="Database1.accdb", lpString2="NTDETECT.COM") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntldr") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="MSDOS.SYS") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="IO.SYS") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="boot.ini") returned 1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="AUTOEXEC.BAT") returned 1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntuser.dat") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="desktop.ini") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="CONFIG.SYS") returned 1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="RECYCLER") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="BOOTSECT.BAK") returned 1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="bootmgr") returned 1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="programdata") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="appdata") returned 1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="program files") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="program files (x86)") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="microsoft") returned -1 [0286.919] lstrcmpiW (lpString1="Database1.accdb", lpString2="sophos") returned -1 [0286.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0286.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0286.919] PathFindExtensionW (pszPath="Database1.accdb") returned=".accdb" [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".exe") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".log") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".cab") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".cmd") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".com") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".cpl") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".ini") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".dll") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".url") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".ttf") returned -1 [0286.919] lstrcmpiW (lpString1=".accdb", lpString2=".mp3") returned -1 [0286.920] lstrcmpiW (lpString1=".accdb", lpString2=".pif") returned -1 [0286.920] lstrcmpiW (lpString1=".accdb", lpString2=".mp4") returned -1 [0286.920] lstrcmpiW (lpString1=".accdb", lpString2=".NEFILIM") returned -1 [0286.920] lstrcmpiW (lpString1=".accdb", lpString2=".msi") returned -1 [0286.920] lstrcmpiW (lpString1=".accdb", lpString2=".lnk") returned -1 [0286.920] lstrcmpiW (lpString1="Database1.accdb", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0286.920] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.920] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=348160) returned 1 [0286.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0286.920] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.920] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0286.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0286.920] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.921] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.921] GetTickCount () returned 0x1187d3c [0286.921] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0286.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.921] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.921] SetLastError (dwErrCode=0x0) [0286.921] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.936] GetLastError () returned 0x0 [0286.936] GetLastError () returned 0x0 [0286.936] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.936] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.936] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.936] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1573564, dwHighDateTime=0x1d5fd73)) [0286.936] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0286.936] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.937] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.937] GetProcessHeap () returned 0xa10000 [0286.937] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x55000) returned 0xa3e6a0 [0286.938] GetSystemDefaultLangID () returned 0xa20409 [0286.938] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.938] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x55000, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x55000, lpOverlapped=0x0) returned 1 [0286.967] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.967] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x55000, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x55000, lpOverlapped=0x0) returned 1 [0286.968] GetProcessHeap () returned 0xa10000 [0286.968] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.972] CloseHandle (hObject=0x26c) returned 1 [0286.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0286.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0286.972] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0286.972] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb.nefilim")) returned 1 [0286.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.974] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0286.974] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0286.974] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d945650, ftCreationTime.dwHighDateTime=0x1d5c9d8, ftLastAccessTime.dwLowDateTime=0x1a89d300, ftLastAccessTime.dwHighDateTime=0x1d58522, ftLastWriteTime.dwLowDateTime=0x1a89d300, ftLastWriteTime.dwHighDateTime=0x1d58522, nFileSizeHigh=0x0, nFileSizeLow=0xd0fb, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="dT--.pptx", cAlternateFileName="DT--~1.PPT")) returned 1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2=".") returned 1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="..") returned 1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="...") returned 1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="windows") returned -1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="$RECYCLE.BIN") returned 1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="rsa") returned -1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="NTDETECT.COM") returned -1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="ntldr") returned -1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="MSDOS.SYS") returned -1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="IO.SYS") returned -1 [0286.974] lstrcmpiW (lpString1="dT--.pptx", lpString2="boot.ini") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="ntuser.dat") returned -1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="desktop.ini") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="CONFIG.SYS") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="RECYCLER") returned -1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="BOOTSECT.BAK") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="bootmgr") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="programdata") returned -1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="appdata") returned 1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="program files") returned -1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="program files (x86)") returned -1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="microsoft") returned -1 [0286.975] lstrcmpiW (lpString1="dT--.pptx", lpString2="sophos") returned -1 [0286.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0286.975] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.975] PathFindExtensionW (pszPath="dT--.pptx") returned=".pptx" [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0286.975] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0286.976] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0286.976] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0286.976] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0286.976] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0286.976] lstrcmpiW (lpString1="dT--.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0286.976] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dT--.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\dt--.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.976] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=53499) returned 1 [0286.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0286.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.976] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0286.976] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0286.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0286.976] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.977] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.977] GetTickCount () returned 0x1187d7b [0286.977] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe58 [0286.977] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0286.977] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd0fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.977] SetLastError (dwErrCode=0x0) [0286.978] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.978] GetLastError () returned 0x0 [0286.978] GetLastError () returned 0x0 [0286.979] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd1fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.979] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.979] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd2fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.979] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd15e5c20, dwHighDateTime=0x1d5fd73)) [0286.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe58 [0286.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0286.979] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.979] GetProcessHeap () returned 0xa10000 [0286.979] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd0fb) returned 0xa3e6a0 [0286.980] GetSystemDefaultLangID () returned 0xa20409 [0286.980] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.980] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xd0fb, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xd0fb, lpOverlapped=0x0) returned 1 [0286.983] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.984] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xd0fb, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xd0fb, lpOverlapped=0x0) returned 1 [0286.984] GetProcessHeap () returned 0xa10000 [0286.984] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.986] CloseHandle (hObject=0x26c) returned 1 [0286.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0286.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0286.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0286.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe58 [0286.986] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dT--.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\dt--.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dT--.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\dt--.pptx.nefilim")) returned 1 [0286.987] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0286.987] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.987] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x147940f0, ftCreationTime.dwHighDateTime=0x1d57a54, ftLastAccessTime.dwLowDateTime=0xd5428c60, ftLastAccessTime.dwHighDateTime=0x1d5795f, ftLastWriteTime.dwLowDateTime=0xd5428c60, ftLastWriteTime.dwHighDateTime=0x1d5795f, nFileSizeHigh=0x0, nFileSizeLow=0xbb90, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="dUkNHmItoUG.pptx", cAlternateFileName="DUKNHM~1.PPT")) returned 1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2=".") returned 1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="..") returned 1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="...") returned 1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="windows") returned -1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="$RECYCLE.BIN") returned 1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="rsa") returned -1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="NTDETECT.COM") returned -1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="ntldr") returned -1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="MSDOS.SYS") returned -1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="IO.SYS") returned -1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="boot.ini") returned 1 [0286.987] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="ntuser.dat") returned -1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="desktop.ini") returned 1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="CONFIG.SYS") returned 1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="RECYCLER") returned -1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="BOOTSECT.BAK") returned 1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="bootmgr") returned 1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="programdata") returned -1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="appdata") returned 1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="program files") returned -1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="program files (x86)") returned -1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="microsoft") returned -1 [0286.988] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="sophos") returned -1 [0286.988] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0286.988] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.988] PathFindExtensionW (pszPath="dUkNHmItoUG.pptx") returned=".pptx" [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0286.988] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0286.989] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0286.989] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0286.989] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0286.989] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0286.989] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0286.989] lstrcmpiW (lpString1="dUkNHmItoUG.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.989] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0286.989] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dUkNHmItoUG.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\duknhmitoug.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0286.989] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=48016) returned 1 [0286.989] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0286.989] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0286.989] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0286.989] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0286.989] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0286.989] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0286.989] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0286.991] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26eec04*=0x100) returned 1 [0286.992] GetTickCount () returned 0x1187d8a [0286.992] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0286.992] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.992] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.992] SetLastError (dwErrCode=0x0) [0286.992] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.993] GetLastError () returned 0x0 [0286.993] GetLastError () returned 0x0 [0286.993] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.993] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0286.993] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.993] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd160bf2e, dwHighDateTime=0x1d5fd73)) [0286.993] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0286.993] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.993] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0286.993] GetProcessHeap () returned 0xa10000 [0286.993] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xbb90) returned 0xa3e6a0 [0286.993] GetSystemDefaultLangID () returned 0xa20409 [0286.993] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.993] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xbb90, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xbb90, lpOverlapped=0x0) returned 1 [0286.996] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0286.996] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xbb90, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xbb90, lpOverlapped=0x0) returned 1 [0286.996] GetProcessHeap () returned 0xa10000 [0286.996] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0286.997] CloseHandle (hObject=0x26c) returned 1 [0286.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0286.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0286.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0286.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0286.997] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0286.997] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dUkNHmItoUG.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\duknhmitoug.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dUkNHmItoUG.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\duknhmitoug.pptx.nefilim")) returned 1 [0286.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0286.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0286.998] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c1f8840, ftCreationTime.dwHighDateTime=0x1d57648, ftLastAccessTime.dwLowDateTime=0x30bb1370, ftLastAccessTime.dwHighDateTime=0x1d5b6da, ftLastWriteTime.dwLowDateTime=0x30bb1370, ftLastWriteTime.dwHighDateTime=0x1d5b6da, nFileSizeHigh=0x0, nFileSizeLow=0x12bc, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="E298uF_G.pptx", cAlternateFileName="E298UF~1.PPT")) returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2=".") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="..") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="...") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="windows") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="$RECYCLE.BIN") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="rsa") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="NTDETECT.COM") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="ntldr") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="MSDOS.SYS") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="IO.SYS") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="boot.ini") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="ntuser.dat") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="desktop.ini") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="CONFIG.SYS") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="RECYCLER") returned -1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="BOOTSECT.BAK") returned 1 [0286.998] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="bootmgr") returned 1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="programdata") returned -1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="appdata") returned 1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="program files") returned -1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="program files (x86)") returned -1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="microsoft") returned -1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="sophos") returned -1 [0286.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0286.999] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0286.999] PathFindExtensionW (pszPath="E298uF_G.pptx") returned=".pptx" [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0286.999] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0286.999] lstrcmpiW (lpString1="E298uF_G.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0286.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.000] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\E298uF_G.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\e298uf_g.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.000] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=4796) returned 1 [0287.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.000] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.000] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.000] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.001] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.001] GetTickCount () returned 0x1187d9a [0287.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe58 [0287.001] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.001] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.001] SetLastError (dwErrCode=0x0) [0287.001] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.003] GetLastError () returned 0x0 [0287.003] GetLastError () returned 0x0 [0287.003] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.003] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.003] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.003] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1632058, dwHighDateTime=0x1d5fd73)) [0287.003] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe58 [0287.003] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.003] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.003] GetProcessHeap () returned 0xa10000 [0287.003] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12bc) returned 0xa3e6a0 [0287.003] GetSystemDefaultLangID () returned 0xa20409 [0287.003] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.003] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x12bc, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x12bc, lpOverlapped=0x0) returned 1 [0287.004] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.004] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x12bc, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x12bc, lpOverlapped=0x0) returned 1 [0287.004] GetProcessHeap () returned 0xa10000 [0287.004] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.004] CloseHandle (hObject=0x26c) returned 1 [0287.004] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.004] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.004] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.004] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.004] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe58 [0287.004] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\E298uF_G.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\e298uf_g.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\E298uF_G.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\e298uf_g.pptx.nefilim")) returned 1 [0287.005] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.005] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.005] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0960a0, ftCreationTime.dwHighDateTime=0x1d5e8c3, ftLastAccessTime.dwLowDateTime=0xd6ba2a50, ftLastAccessTime.dwHighDateTime=0x1d5e4a1, ftLastWriteTime.dwLowDateTime=0xd6ba2a50, ftLastWriteTime.dwHighDateTime=0x1d5e4a1, nFileSizeHigh=0x0, nFileSizeLow=0x14a8, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="flu DHpbjHV.docx", cAlternateFileName="FLUDHP~1.DOC")) returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2=".") returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="..") returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="...") returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="windows") returned -1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="$RECYCLE.BIN") returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="rsa") returned -1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="NTDETECT.COM") returned -1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="ntldr") returned -1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="MSDOS.SYS") returned -1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="IO.SYS") returned -1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="boot.ini") returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="AUTOEXEC.BAT") returned 1 [0287.005] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="ntuser.dat") returned -1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="desktop.ini") returned 1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="CONFIG.SYS") returned 1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="RECYCLER") returned -1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="BOOTSECT.BAK") returned 1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="bootmgr") returned 1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="programdata") returned -1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="appdata") returned 1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="program files") returned -1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="program files (x86)") returned -1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="microsoft") returned -1 [0287.006] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="sophos") returned -1 [0287.006] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.006] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.006] PathFindExtensionW (pszPath="flu DHpbjHV.docx") returned=".docx" [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0287.006] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0287.007] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0287.007] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0287.007] lstrcmpiW (lpString1="flu DHpbjHV.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.007] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\flu DHpbjHV.docx" (normalized: "c:\\users\\fd1hvy\\documents\\flu dhpbjhv.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.007] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=5288) returned 1 [0287.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.007] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.007] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.007] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.007] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.008] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.009] GetTickCount () returned 0x1187d9a [0287.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0287.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.009] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.009] SetLastError (dwErrCode=0x0) [0287.009] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.010] GetLastError () returned 0x0 [0287.010] GetLastError () returned 0x0 [0287.010] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.010] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.010] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.010] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1632058, dwHighDateTime=0x1d5fd73)) [0287.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0287.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.011] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.011] GetProcessHeap () returned 0xa10000 [0287.011] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14a8) returned 0xa3e6a0 [0287.011] GetSystemDefaultLangID () returned 0xa20409 [0287.011] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.011] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x14a8, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x14a8, lpOverlapped=0x0) returned 1 [0287.012] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.012] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x14a8, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x14a8, lpOverlapped=0x0) returned 1 [0287.012] GetProcessHeap () returned 0xa10000 [0287.012] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.013] CloseHandle (hObject=0x26c) returned 1 [0287.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.013] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0287.013] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\flu DHpbjHV.docx" (normalized: "c:\\users\\fd1hvy\\documents\\flu dhpbjhv.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\flu DHpbjHV.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\flu dhpbjhv.docx.nefilim")) returned 1 [0287.014] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.014] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.014] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e140750, ftCreationTime.dwHighDateTime=0x1d57a50, ftLastAccessTime.dwLowDateTime=0xa4338600, ftLastAccessTime.dwHighDateTime=0x1d58793, ftLastWriteTime.dwLowDateTime=0xa4338600, ftLastWriteTime.dwHighDateTime=0x1d58793, nFileSizeHigh=0x0, nFileSizeLow=0x68a9, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="fRgXfLMu-9E-NK4sqJF6.docx", cAlternateFileName="FRGXFL~1.DOC")) returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2=".") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="..") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="...") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="windows") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="$RECYCLE.BIN") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="rsa") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="NTDETECT.COM") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="ntldr") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="MSDOS.SYS") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="IO.SYS") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="boot.ini") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="AUTOEXEC.BAT") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="ntuser.dat") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="desktop.ini") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="CONFIG.SYS") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="RECYCLER") returned -1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="BOOTSECT.BAK") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="bootmgr") returned 1 [0287.014] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="programdata") returned -1 [0287.015] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="appdata") returned 1 [0287.015] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="program files") returned -1 [0287.015] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="program files (x86)") returned -1 [0287.015] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="microsoft") returned -1 [0287.015] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="sophos") returned -1 [0287.015] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe00 [0287.015] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.015] PathFindExtensionW (pszPath="fRgXfLMu-9E-NK4sqJF6.docx") returned=".docx" [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0287.015] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0287.016] lstrcmpiW (lpString1="fRgXfLMu-9E-NK4sqJF6.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.016] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe78 [0287.016] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\fRgXfLMu-9E-NK4sqJF6.docx" (normalized: "c:\\users\\fd1hvy\\documents\\frgxflmu-9e-nk4sqjf6.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.016] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=26793) returned 1 [0287.016] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0287.016] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.017] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0287.017] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0287.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.017] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.018] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.018] GetTickCount () returned 0x1187daa [0287.018] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbd98 [0287.018] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.018] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x68a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.018] SetLastError (dwErrCode=0x0) [0287.018] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.019] GetLastError () returned 0x0 [0287.019] GetLastError () returned 0x0 [0287.020] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x69a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.020] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.020] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6aa9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.020] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1658313, dwHighDateTime=0x1d5fd73)) [0287.020] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd98 [0287.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.020] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.020] GetProcessHeap () returned 0xa10000 [0287.020] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x68a9) returned 0xa3e6a0 [0287.020] GetSystemDefaultLangID () returned 0xa20409 [0287.020] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.020] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x68a9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x68a9, lpOverlapped=0x0) returned 1 [0287.022] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.022] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x68a9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x68a9, lpOverlapped=0x0) returned 1 [0287.022] GetProcessHeap () returned 0xa10000 [0287.022] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.022] CloseHandle (hObject=0x26c) returned 1 [0287.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0287.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0287.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0287.022] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\fRgXfLMu-9E-NK4sqJF6.docx" (normalized: "c:\\users\\fd1hvy\\documents\\frgxflmu-9e-nk4sqjf6.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\fRgXfLMu-9E-NK4sqJF6.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\frgxflmu-9e-nk4sqjf6.docx.nefilim")) returned 1 [0287.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.023] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe78 | out: hHeap=0x28d0000) returned 1 [0287.023] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a1a570, ftCreationTime.dwHighDateTime=0x1d571af, ftLastAccessTime.dwLowDateTime=0x9ef6af80, ftLastAccessTime.dwHighDateTime=0x1d57381, ftLastWriteTime.dwLowDateTime=0x9ef6af80, ftLastWriteTime.dwHighDateTime=0x1d57381, nFileSizeHigh=0x0, nFileSizeLow=0x17f8d, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="G2nPMsmCNvz3.xlsx", cAlternateFileName="G2NPMS~1.XLS")) returned 1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2=".") returned 1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="..") returned 1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="...") returned 1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="windows") returned -1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="rsa") returned -1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="NTDETECT.COM") returned -1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="ntldr") returned -1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="MSDOS.SYS") returned -1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="IO.SYS") returned -1 [0287.023] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="boot.ini") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="ntuser.dat") returned -1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="desktop.ini") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="RECYCLER") returned -1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="bootmgr") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="programdata") returned -1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="appdata") returned 1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="program files") returned -1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="program files (x86)") returned -1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="microsoft") returned -1 [0287.024] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="sophos") returned -1 [0287.024] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.024] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.024] PathFindExtensionW (pszPath="G2nPMsmCNvz3.xlsx") returned=".xlsx" [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.024] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.025] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.025] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.025] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.025] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.025] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.025] lstrcmpiW (lpString1="G2nPMsmCNvz3.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.025] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\G2nPMsmCNvz3.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\g2npmsmcnvz3.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.025] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=98189) returned 1 [0287.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.025] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.025] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.025] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.026] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.026] GetTickCount () returned 0x1187daa [0287.026] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0287.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.026] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x17f8d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.026] SetLastError (dwErrCode=0x0) [0287.026] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.027] GetLastError () returned 0x0 [0287.027] GetLastError () returned 0x0 [0287.027] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1808d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.027] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.027] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1818d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.027] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1658313, dwHighDateTime=0x1d5fd73)) [0287.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0287.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.028] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.028] GetProcessHeap () returned 0xa10000 [0287.028] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x17f8d) returned 0xa3e6a0 [0287.028] GetSystemDefaultLangID () returned 0xa20409 [0287.028] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.028] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x17f8d, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x17f8d, lpOverlapped=0x0) returned 1 [0287.035] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.035] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x17f8d, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x17f8d, lpOverlapped=0x0) returned 1 [0287.035] GetProcessHeap () returned 0xa10000 [0287.035] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.035] CloseHandle (hObject=0x26c) returned 1 [0287.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0287.036] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\G2nPMsmCNvz3.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\g2npmsmcnvz3.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\G2nPMsmCNvz3.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\g2npmsmcnvz3.xlsx.nefilim")) returned 1 [0287.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.036] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4221c60, ftCreationTime.dwHighDateTime=0x1d5abee, ftLastAccessTime.dwLowDateTime=0xcca4f50, ftLastAccessTime.dwHighDateTime=0x1d5a256, ftLastWriteTime.dwLowDateTime=0xcca4f50, ftLastWriteTime.dwHighDateTime=0x1d5a256, nFileSizeHigh=0x0, nFileSizeLow=0xa10a, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="G73rNwEVJix95.pptx", cAlternateFileName="G73RNW~1.PPT")) returned 1 [0287.036] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2=".") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="..") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="...") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="windows") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="$RECYCLE.BIN") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="rsa") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="NTDETECT.COM") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="ntldr") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="MSDOS.SYS") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="IO.SYS") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="boot.ini") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="ntuser.dat") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="desktop.ini") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="CONFIG.SYS") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="RECYCLER") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="BOOTSECT.BAK") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="bootmgr") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="programdata") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="appdata") returned 1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="program files") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="program files (x86)") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="microsoft") returned -1 [0287.037] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="sophos") returned -1 [0287.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.037] PathFindExtensionW (pszPath="G73rNwEVJix95.pptx") returned=".pptx" [0287.037] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0287.037] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0287.037] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0287.037] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0287.037] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0287.038] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0287.038] lstrcmpiW (lpString1="G73rNwEVJix95.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.038] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\G73rNwEVJix95.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\g73rnwevjix95.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.038] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=41226) returned 1 [0287.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.038] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.038] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0287.039] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.040] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.041] GetTickCount () returned 0x1187db9 [0287.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0287.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.041] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa10a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.041] SetLastError (dwErrCode=0x0) [0287.041] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.042] GetLastError () returned 0x0 [0287.042] GetLastError () returned 0x0 [0287.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa20a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.042] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa30a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.042] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd167e66a, dwHighDateTime=0x1d5fd73)) [0287.042] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0287.042] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.042] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.042] GetProcessHeap () returned 0xa10000 [0287.042] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa10a) returned 0xa3e6a0 [0287.042] GetSystemDefaultLangID () returned 0xa20409 [0287.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.042] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xa10a, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xa10a, lpOverlapped=0x0) returned 1 [0287.045] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.045] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xa10a, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xa10a, lpOverlapped=0x0) returned 1 [0287.045] GetProcessHeap () returned 0xa10000 [0287.045] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.045] CloseHandle (hObject=0x26c) returned 1 [0287.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0287.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0287.045] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\G73rNwEVJix95.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\g73rnwevjix95.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\G73rNwEVJix95.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\g73rnwevjix95.pptx.nefilim")) returned 1 [0287.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.046] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ee3c90, ftCreationTime.dwHighDateTime=0x1d5826a, ftLastAccessTime.dwLowDateTime=0x1534a580, ftLastAccessTime.dwHighDateTime=0x1d5b97d, ftLastWriteTime.dwLowDateTime=0x1534a580, ftLastWriteTime.dwHighDateTime=0x1d5b97d, nFileSizeHigh=0x0, nFileSizeLow=0xf301, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="g9b43v82e.docx", cAlternateFileName="G9B43V~1.DOC")) returned 1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2=".") returned 1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="..") returned 1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="...") returned 1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="windows") returned -1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="$RECYCLE.BIN") returned 1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="rsa") returned -1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="NTDETECT.COM") returned -1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="ntldr") returned -1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="MSDOS.SYS") returned -1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="IO.SYS") returned -1 [0287.046] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="boot.ini") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="AUTOEXEC.BAT") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="ntuser.dat") returned -1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="desktop.ini") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="CONFIG.SYS") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="RECYCLER") returned -1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="BOOTSECT.BAK") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="bootmgr") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="programdata") returned -1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="appdata") returned 1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="program files") returned -1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="program files (x86)") returned -1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="microsoft") returned -1 [0287.047] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="sophos") returned -1 [0287.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.121] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.121] PathFindExtensionW (pszPath="g9b43v82e.docx") returned=".docx" [0287.121] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0287.121] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0287.122] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0287.122] lstrcmpiW (lpString1="g9b43v82e.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.122] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.122] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\g9b43v82e.docx" (normalized: "c:\\users\\fd1hvy\\documents\\g9b43v82e.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.123] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=62209) returned 1 [0287.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0287.123] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.123] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0287.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.123] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.123] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.125] GetTickCount () returned 0x1187e07 [0287.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0287.125] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.125] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf301, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.125] SetLastError (dwErrCode=0x0) [0287.125] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.127] GetLastError () returned 0x0 [0287.127] GetLastError () returned 0x0 [0287.127] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf401, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.127] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.127] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf501, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.127] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd17633d0, dwHighDateTime=0x1d5fd73)) [0287.127] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0287.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.127] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.127] GetProcessHeap () returned 0xa10000 [0287.127] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf301) returned 0xa3e6a0 [0287.128] GetSystemDefaultLangID () returned 0xa20409 [0287.128] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.128] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xf301, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xf301, lpOverlapped=0x0) returned 1 [0287.133] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.133] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xf301, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xf301, lpOverlapped=0x0) returned 1 [0287.133] GetProcessHeap () returned 0xa10000 [0287.133] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.134] CloseHandle (hObject=0x26c) returned 1 [0287.134] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.134] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.134] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.134] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0287.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0287.134] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\g9b43v82e.docx" (normalized: "c:\\users\\fd1hvy\\documents\\g9b43v82e.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\g9b43v82e.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\g9b43v82e.docx.nefilim")) returned 1 [0287.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.135] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd10cd60, ftCreationTime.dwHighDateTime=0x1d595b4, ftLastAccessTime.dwLowDateTime=0xf787e640, ftLastAccessTime.dwHighDateTime=0x1d5e5ce, ftLastWriteTime.dwLowDateTime=0xf787e640, ftLastWriteTime.dwHighDateTime=0x1d5e5ce, nFileSizeHigh=0x0, nFileSizeLow=0x160ac, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="Gvk5.pptx", cAlternateFileName="GVK5~1.PPT")) returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2=".") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="..") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="...") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="windows") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="$RECYCLE.BIN") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="rsa") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="NTDETECT.COM") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="ntldr") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="MSDOS.SYS") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="IO.SYS") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="boot.ini") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="ntuser.dat") returned -1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="desktop.ini") returned 1 [0287.135] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="CONFIG.SYS") returned 1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="RECYCLER") returned -1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="BOOTSECT.BAK") returned 1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="bootmgr") returned 1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="programdata") returned -1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="appdata") returned 1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="program files") returned -1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="program files (x86)") returned -1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="microsoft") returned -1 [0287.136] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="sophos") returned -1 [0287.136] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0287.136] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.136] PathFindExtensionW (pszPath="Gvk5.pptx") returned=".pptx" [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0287.136] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0287.137] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0287.137] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0287.137] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0287.137] lstrcmpiW (lpString1="Gvk5.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.137] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Gvk5.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\gvk5.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.137] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=90284) returned 1 [0287.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.137] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.137] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.137] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.139] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.140] GetTickCount () returned 0x1187e17 [0287.140] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe58 [0287.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.140] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x160ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.141] SetLastError (dwErrCode=0x0) [0287.141] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.142] GetLastError () returned 0x0 [0287.142] GetLastError () returned 0x0 [0287.143] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x161ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.143] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.143] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x162ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.143] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd17895d2, dwHighDateTime=0x1d5fd73)) [0287.143] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe58 [0287.143] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.143] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.143] GetProcessHeap () returned 0xa10000 [0287.143] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x160ac) returned 0xa3e6a0 [0287.143] GetSystemDefaultLangID () returned 0xa20409 [0287.143] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.143] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x160ac, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x160ac, lpOverlapped=0x0) returned 1 [0287.150] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.150] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x160ac, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x160ac, lpOverlapped=0x0) returned 1 [0287.151] GetProcessHeap () returned 0xa10000 [0287.151] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.151] CloseHandle (hObject=0x26c) returned 1 [0287.151] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.151] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.151] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.151] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.151] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe58 [0287.151] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Gvk5.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\gvk5.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Gvk5.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\gvk5.pptx.nefilim")) returned 1 [0287.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.152] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.152] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61570530, ftCreationTime.dwHighDateTime=0x1d5e73a, ftLastAccessTime.dwLowDateTime=0x941a56c0, ftLastAccessTime.dwHighDateTime=0x1d5ead7, ftLastWriteTime.dwLowDateTime=0x941a56c0, ftLastWriteTime.dwHighDateTime=0x1d5ead7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="HD4tjqiq5TMv15yk7Or", cAlternateFileName="HD4TJQ~1")) returned 1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2=".") returned 1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="..") returned 1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="...") returned 1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="windows") returned -1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="$RECYCLE.BIN") returned 1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="rsa") returned -1 [0287.152] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="NTDETECT.COM") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="ntldr") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="MSDOS.SYS") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="IO.SYS") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="boot.ini") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="AUTOEXEC.BAT") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="ntuser.dat") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="desktop.ini") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="CONFIG.SYS") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="RECYCLER") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="BOOTSECT.BAK") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="bootmgr") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="programdata") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="appdata") returned 1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="program files") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="program files (x86)") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="microsoft") returned -1 [0287.153] lstrcmpiW (lpString1="HD4tjqiq5TMv15yk7Or", lpString2="sophos") returned -1 [0287.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe68 [0287.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0287.153] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61570530, ftCreationTime.dwHighDateTime=0x1d5e73a, ftLastAccessTime.dwLowDateTime=0x941a56c0, ftLastAccessTime.dwHighDateTime=0x1d5ead7, ftLastWriteTime.dwLowDateTime=0x941a56c0, ftLastWriteTime.dwHighDateTime=0x1d5ead7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0287.154] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.154] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61570530, ftCreationTime.dwHighDateTime=0x1d5e73a, ftLastAccessTime.dwLowDateTime=0x941a56c0, ftLastAccessTime.dwHighDateTime=0x1d5ead7, ftLastWriteTime.dwLowDateTime=0x941a56c0, ftLastWriteTime.dwHighDateTime=0x1d5ead7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="..", cAlternateFileName="")) returned 1 [0287.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.154] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91f490b0, ftCreationTime.dwHighDateTime=0x1d5e94f, ftLastAccessTime.dwLowDateTime=0xa8bda140, ftLastAccessTime.dwHighDateTime=0x1d5eb18, ftLastWriteTime.dwLowDateTime=0xa8bda140, ftLastWriteTime.dwHighDateTime=0x1d5eb18, nFileSizeHigh=0x0, nFileSizeLow=0x3e72, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="3xKKXMLQZ-8RUvC-2.ods", cAlternateFileName="3XKKXM~1.ODS")) returned 1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2=".") returned 1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="..") returned 1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="...") returned 1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="windows") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="$RECYCLE.BIN") returned 1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="rsa") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="NTDETECT.COM") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="ntldr") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="MSDOS.SYS") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="IO.SYS") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="boot.ini") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="AUTOEXEC.BAT") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="ntuser.dat") returned -1 [0287.154] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="desktop.ini") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="CONFIG.SYS") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="RECYCLER") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="BOOTSECT.BAK") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="bootmgr") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="programdata") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="appdata") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="program files") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="program files (x86)") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="microsoft") returned -1 [0287.155] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="sophos") returned -1 [0287.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de798 [0287.155] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.155] PathFindExtensionW (pszPath="3xKKXMLQZ-8RUvC-2.ods") returned=".ods" [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0287.155] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0287.156] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0287.156] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0287.156] lstrcmpiW (lpString1=".ods", lpString2=".NEFILIM") returned 1 [0287.156] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0287.156] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0287.156] lstrcmpiW (lpString1="3xKKXMLQZ-8RUvC-2.ods", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de830 [0287.156] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\3xKKXMLQZ-8RUvC-2.ods" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\3xkkxmlqz-8ruvc-2.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.156] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=15986) returned 1 [0287.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.156] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.156] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0287.157] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.157] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.158] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.158] GetTickCount () returned 0x1187e36 [0287.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbed0 [0287.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbed0 | out: hHeap=0x28d0000) returned 1 [0287.158] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.158] SetLastError (dwErrCode=0x0) [0287.158] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.159] GetLastError () returned 0x0 [0287.159] GetLastError () returned 0x0 [0287.159] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3f72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.159] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.160] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4072, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.160] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd17b0509, dwHighDateTime=0x1d5fd73)) [0287.160] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0287.160] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.160] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.160] GetProcessHeap () returned 0xa10000 [0287.160] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3e72) returned 0xa3f6a8 [0287.160] GetSystemDefaultLangID () returned 0xa20409 [0287.160] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.160] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3e72, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3e72, lpOverlapped=0x0) returned 1 [0287.161] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.161] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3e72, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3e72, lpOverlapped=0x0) returned 1 [0287.162] GetProcessHeap () returned 0xa10000 [0287.162] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.162] CloseHandle (hObject=0x270) returned 1 [0287.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0287.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de8c8 [0287.162] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\3xKKXMLQZ-8RUvC-2.ods" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\3xkkxmlqz-8ruvc-2.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\3xKKXMLQZ-8RUvC-2.ods.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\3xkkxmlqz-8ruvc-2.ods.nefilim")) returned 1 [0287.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c8 | out: hHeap=0x28d0000) returned 1 [0287.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de830 | out: hHeap=0x28d0000) returned 1 [0287.163] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7deb90, ftCreationTime.dwHighDateTime=0x1d5e1a5, ftLastAccessTime.dwLowDateTime=0x941f5a40, ftLastAccessTime.dwHighDateTime=0x1d5ea9f, ftLastWriteTime.dwLowDateTime=0x941f5a40, ftLastWriteTime.dwHighDateTime=0x1d5ea9f, nFileSizeHigh=0x0, nFileSizeLow=0x59c5, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="5JiNd.rtf", cAlternateFileName="")) returned 1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2=".") returned 1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="..") returned 1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="...") returned 1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="windows") returned -1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="$RECYCLE.BIN") returned 1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="rsa") returned -1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="NTDETECT.COM") returned -1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="ntldr") returned -1 [0287.163] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="MSDOS.SYS") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="IO.SYS") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="boot.ini") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="AUTOEXEC.BAT") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="ntuser.dat") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="desktop.ini") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="CONFIG.SYS") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="RECYCLER") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="BOOTSECT.BAK") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="bootmgr") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="programdata") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="appdata") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="program files") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="program files (x86)") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="microsoft") returned -1 [0287.164] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="sophos") returned -1 [0287.164] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0287.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0287.164] PathFindExtensionW (pszPath="5JiNd.rtf") returned=".rtf" [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0287.164] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0287.165] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0287.165] lstrcmpiW (lpString1="5JiNd.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de798 [0287.165] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\5JiNd.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\5jind.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.165] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=22981) returned 1 [0287.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.165] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.165] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.166] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.167] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.169] GetTickCount () returned 0x1187e36 [0287.169] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbed0 [0287.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbed0 | out: hHeap=0x28d0000) returned 1 [0287.169] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x59c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.169] SetLastError (dwErrCode=0x0) [0287.169] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.170] GetLastError () returned 0x0 [0287.170] GetLastError () returned 0x0 [0287.170] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5ac5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.170] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.170] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5bc5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.170] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd17b0509, dwHighDateTime=0x1d5fd73)) [0287.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de810 [0287.170] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.170] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.171] GetProcessHeap () returned 0xa10000 [0287.171] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x59c5) returned 0xa3f6a8 [0287.171] GetSystemDefaultLangID () returned 0xa20409 [0287.171] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.171] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x59c5, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x59c5, lpOverlapped=0x0) returned 1 [0287.174] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.174] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x59c5, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x59c5, lpOverlapped=0x0) returned 1 [0287.174] GetProcessHeap () returned 0xa10000 [0287.174] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.174] CloseHandle (hObject=0x270) returned 1 [0287.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0287.174] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\5JiNd.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\5jind.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\5JiNd.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\5jind.rtf.nefilim")) returned 1 [0287.175] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.175] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0287.175] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86f17ba0, ftCreationTime.dwHighDateTime=0x1d5e93c, ftLastAccessTime.dwLowDateTime=0x9eb72c10, ftLastAccessTime.dwHighDateTime=0x1d5e71d, ftLastWriteTime.dwLowDateTime=0x9eb72c10, ftLastWriteTime.dwHighDateTime=0x1d5e71d, nFileSizeHigh=0x0, nFileSizeLow=0x7b9d, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="KpEx1slCO.odp", cAlternateFileName="KPEX1S~1.ODP")) returned 1 [0287.175] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2=".") returned 1 [0287.175] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="..") returned 1 [0287.175] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="...") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="windows") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="$RECYCLE.BIN") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="rsa") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="NTDETECT.COM") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="ntldr") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="MSDOS.SYS") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="IO.SYS") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="boot.ini") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="AUTOEXEC.BAT") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="ntuser.dat") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="desktop.ini") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="CONFIG.SYS") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="RECYCLER") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="BOOTSECT.BAK") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="bootmgr") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="programdata") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="appdata") returned 1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="program files") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="program files (x86)") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="microsoft") returned -1 [0287.176] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="sophos") returned -1 [0287.176] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de798 [0287.176] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.176] PathFindExtensionW (pszPath="KpEx1slCO.odp") returned=".odp" [0287.176] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0287.176] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0287.177] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0287.177] lstrcmpiW (lpString1="KpEx1slCO.odp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de820 [0287.177] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\KpEx1slCO.odp" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\kpex1slco.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.177] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=31645) returned 1 [0287.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.178] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.178] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0287.178] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.178] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.178] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.178] GetTickCount () returned 0x1187e46 [0287.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbed0 [0287.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbed0 | out: hHeap=0x28d0000) returned 1 [0287.179] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7b9d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.179] SetLastError (dwErrCode=0x0) [0287.179] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.180] GetLastError () returned 0x0 [0287.180] GetLastError () returned 0x0 [0287.180] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7c9d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.180] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.180] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7d9d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.180] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd17d5aa6, dwHighDateTime=0x1d5fd73)) [0287.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0287.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.180] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.181] GetProcessHeap () returned 0xa10000 [0287.181] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x7b9d) returned 0xa3f6a8 [0287.181] GetSystemDefaultLangID () returned 0xa20409 [0287.181] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.181] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x7b9d, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x7b9d, lpOverlapped=0x0) returned 1 [0287.183] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.183] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x7b9d, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x7b9d, lpOverlapped=0x0) returned 1 [0287.183] GetProcessHeap () returned 0xa10000 [0287.183] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.184] CloseHandle (hObject=0x270) returned 1 [0287.189] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0287.189] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.189] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.189] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de8a8 [0287.189] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\KpEx1slCO.odp" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\kpex1slco.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\KpEx1slCO.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\kpex1slco.odp.nefilim")) returned 1 [0287.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8a8 | out: hHeap=0x28d0000) returned 1 [0287.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0287.191] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fc4fc80, ftCreationTime.dwHighDateTime=0x1d5e74c, ftLastAccessTime.dwLowDateTime=0x591d73d0, ftLastAccessTime.dwHighDateTime=0x1d5f050, ftLastWriteTime.dwLowDateTime=0x591d73d0, ftLastWriteTime.dwHighDateTime=0x1d5f050, nFileSizeHigh=0x0, nFileSizeLow=0x12af7, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="LQ0PcdTrk5iP5.rtf", cAlternateFileName="LQ0PCD~1.RTF")) returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2=".") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="..") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="...") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="windows") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="$RECYCLE.BIN") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="rsa") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="NTDETECT.COM") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="ntldr") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="MSDOS.SYS") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="IO.SYS") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="boot.ini") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="ntuser.dat") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="desktop.ini") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="CONFIG.SYS") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="RECYCLER") returned -1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="BOOTSECT.BAK") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="bootmgr") returned 1 [0287.191] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="programdata") returned -1 [0287.192] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="appdata") returned 1 [0287.192] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="program files") returned -1 [0287.192] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="program files (x86)") returned -1 [0287.192] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="microsoft") returned -1 [0287.192] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="sophos") returned -1 [0287.192] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de820 [0287.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0287.192] PathFindExtensionW (pszPath="LQ0PcdTrk5iP5.rtf") returned=".rtf" [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0287.192] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0287.192] lstrcmpiW (lpString1="LQ0PcdTrk5iP5.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de720 [0287.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\LQ0PcdTrk5iP5.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\lq0pcdtrk5ip5.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.193] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=76535) returned 1 [0287.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.193] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.193] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0287.193] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0287.193] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.195] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.196] GetTickCount () returned 0x1187e55 [0287.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbed0 [0287.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbed0 | out: hHeap=0x28d0000) returned 1 [0287.196] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12af7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.196] SetLastError (dwErrCode=0x0) [0287.196] WriteFile (in: hFile=0x270, lpBuffer=0x2d21a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21a38*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.197] GetLastError () returned 0x0 [0287.197] GetLastError () returned 0x0 [0287.197] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12bf7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.197] WriteFile (in: hFile=0x270, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.197] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12cf7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.197] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd17fbcd3, dwHighDateTime=0x1d5fd73)) [0287.197] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7a8 [0287.197] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7a8 | out: hHeap=0x28d0000) returned 1 [0287.197] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.197] GetProcessHeap () returned 0xa10000 [0287.197] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12af7) returned 0xa3f6a8 [0287.198] GetSystemDefaultLangID () returned 0xa20409 [0287.198] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.198] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x12af7, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x12af7, lpOverlapped=0x0) returned 1 [0287.203] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.203] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x12af7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x12af7, lpOverlapped=0x0) returned 1 [0287.204] GetProcessHeap () returned 0xa10000 [0287.204] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.204] CloseHandle (hObject=0x270) returned 1 [0287.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21a38 | out: hHeap=0x28d0000) returned 1 [0287.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0287.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.258] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de8a8 [0287.258] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\LQ0PcdTrk5iP5.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\lq0pcdtrk5ip5.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\LQ0PcdTrk5iP5.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\lq0pcdtrk5ip5.rtf.nefilim")) returned 1 [0287.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8a8 | out: hHeap=0x28d0000) returned 1 [0287.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.259] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4bc0080, ftCreationTime.dwHighDateTime=0x1d5e10a, ftLastAccessTime.dwLowDateTime=0x634f9a20, ftLastAccessTime.dwHighDateTime=0x1d5e6e8, ftLastWriteTime.dwLowDateTime=0x634f9a20, ftLastWriteTime.dwHighDateTime=0x1d5e6e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d4b, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="YaaibcVtVUqwKBJg.xlsx", cAlternateFileName="YAAIBC~1.XLS")) returned 1 [0287.259] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2=".") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="..") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="...") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="windows") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="rsa") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="NTDETECT.COM") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="ntldr") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="MSDOS.SYS") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="IO.SYS") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="boot.ini") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="ntuser.dat") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="desktop.ini") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="RECYCLER") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="bootmgr") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="programdata") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="appdata") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="program files") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="program files (x86)") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="microsoft") returned 1 [0287.260] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="sophos") returned 1 [0287.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de720 [0287.260] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0287.261] PathFindExtensionW (pszPath="YaaibcVtVUqwKBJg.xlsx") returned=".xlsx" [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.261] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.261] lstrcmpiW (lpString1="YaaibcVtVUqwKBJg.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.261] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de7b8 [0287.261] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\YaaibcVtVUqwKBJg.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\yaaibcvtvuqwkbjg.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.262] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=15691) returned 1 [0287.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.262] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.262] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0287.262] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.262] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.263] GetTickCount () returned 0x1187e94 [0287.263] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbed0 [0287.263] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbed0 | out: hHeap=0x28d0000) returned 1 [0287.263] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3d4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.263] SetLastError (dwErrCode=0x0) [0287.263] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.264] GetLastError () returned 0x0 [0287.264] GetLastError () returned 0x0 [0287.264] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.264] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.264] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3f4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.264] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd18946fc, dwHighDateTime=0x1d5fd73)) [0287.264] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0287.264] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0287.264] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.265] GetProcessHeap () returned 0xa10000 [0287.265] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3d4b) returned 0xa3f6a8 [0287.265] GetSystemDefaultLangID () returned 0xa20409 [0287.265] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.265] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x3d4b, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x3d4b, lpOverlapped=0x0) returned 1 [0287.266] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.266] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x3d4b, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x3d4b, lpOverlapped=0x0) returned 1 [0287.267] GetProcessHeap () returned 0xa10000 [0287.267] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.267] CloseHandle (hObject=0x270) returned 1 [0287.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0287.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.267] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.267] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28de850 [0287.267] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\YaaibcVtVUqwKBJg.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\yaaibcvtvuqwkbjg.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\HD4tjqiq5TMv15yk7Or\\YaaibcVtVUqwKBJg.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\hd4tjqiq5tmv15yk7or\\yaaibcvtvuqwkbjg.xlsx.nefilim")) returned 1 [0287.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0287.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b8 | out: hHeap=0x28d0000) returned 1 [0287.268] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4bc0080, ftCreationTime.dwHighDateTime=0x1d5e10a, ftLastAccessTime.dwLowDateTime=0x634f9a20, ftLastAccessTime.dwHighDateTime=0x1d5e6e8, ftLastWriteTime.dwLowDateTime=0x634f9a20, ftLastWriteTime.dwHighDateTime=0x1d5e6e8, nFileSizeHigh=0x0, nFileSizeLow=0x3d4b, dwReserved0=0x28dbd98, dwReserved1=0x7000000, cFileName="YaaibcVtVUqwKBJg.xlsx", cAlternateFileName="YAAIBC~1.XLS")) returned 0 [0287.268] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0287.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.268] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.268] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a887f60, ftCreationTime.dwHighDateTime=0x1d58d51, ftLastAccessTime.dwLowDateTime=0x732fccd0, ftLastAccessTime.dwHighDateTime=0x1d5e440, ftLastWriteTime.dwLowDateTime=0x732fccd0, ftLastWriteTime.dwHighDateTime=0x1d5e440, nFileSizeHigh=0x0, nFileSizeLow=0x141ef, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="lmYkR_18VtVG.xlsx", cAlternateFileName="LMYKR_~1.XLS")) returned 1 [0287.268] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2=".") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="..") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="...") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="windows") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="rsa") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="NTDETECT.COM") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="ntldr") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="MSDOS.SYS") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="IO.SYS") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="boot.ini") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="ntuser.dat") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="desktop.ini") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="RECYCLER") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="bootmgr") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="programdata") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="appdata") returned 1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="program files") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="program files (x86)") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="microsoft") returned -1 [0287.269] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="sophos") returned -1 [0287.269] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.269] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.270] PathFindExtensionW (pszPath="lmYkR_18VtVG.xlsx") returned=".xlsx" [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.270] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.270] lstrcmpiW (lpString1="lmYkR_18VtVG.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.270] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.270] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\lmYkR_18VtVG.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\lmykr_18vtvg.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.271] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=82415) returned 1 [0287.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.271] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.271] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.271] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0287.271] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.271] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.272] GetTickCount () returned 0x1187ea4 [0287.272] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0287.272] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.272] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x141ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.272] SetLastError (dwErrCode=0x0) [0287.272] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.273] GetLastError () returned 0x0 [0287.273] GetLastError () returned 0x0 [0287.273] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x142ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.273] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.273] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x143ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.274] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd18baa23, dwHighDateTime=0x1d5fd73)) [0287.274] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0287.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.274] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.274] GetProcessHeap () returned 0xa10000 [0287.274] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x141ef) returned 0xa3e6a0 [0287.274] GetSystemDefaultLangID () returned 0xa20409 [0287.274] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.274] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x141ef, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x141ef, lpOverlapped=0x0) returned 1 [0287.279] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.279] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x141ef, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x141ef, lpOverlapped=0x0) returned 1 [0287.280] GetProcessHeap () returned 0xa10000 [0287.280] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.280] CloseHandle (hObject=0x26c) returned 1 [0287.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0287.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.280] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.280] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0287.280] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\lmYkR_18VtVG.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\lmykr_18vtvg.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\lmYkR_18VtVG.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\lmykr_18vtvg.xlsx.nefilim")) returned 1 [0287.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.281] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.281] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5ad8f90, ftCreationTime.dwHighDateTime=0x1d5abf5, ftLastAccessTime.dwLowDateTime=0x327d3e60, ftLastAccessTime.dwHighDateTime=0x1d5e2e3, ftLastWriteTime.dwLowDateTime=0x327d3e60, ftLastWriteTime.dwHighDateTime=0x1d5e2e3, nFileSizeHigh=0x0, nFileSizeLow=0xbdc7, dwReserved0=0x0, dwReserved1=0x18000119, cFileName="m-hbCyWcA.xlsx", cAlternateFileName="M-HBCY~1.XLS")) returned 1 [0287.281] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2=".") returned 1 [0287.281] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="..") returned 1 [0287.281] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="...") returned 1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="windows") returned -1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="rsa") returned -1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="NTDETECT.COM") returned -1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="ntldr") returned -1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="MSDOS.SYS") returned -1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="IO.SYS") returned 1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="boot.ini") returned 1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="ntuser.dat") returned -1 [0287.282] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="desktop.ini") returned 1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="RECYCLER") returned -1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="bootmgr") returned 1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="programdata") returned -1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="appdata") returned 1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="program files") returned -1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="program files (x86)") returned -1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="microsoft") returned -1 [0287.283] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="sophos") returned -1 [0287.283] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.283] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.283] PathFindExtensionW (pszPath="m-hbCyWcA.xlsx") returned=".xlsx" [0287.283] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.283] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.283] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.283] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.283] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.283] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.284] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.284] lstrcmpiW (lpString1="m-hbCyWcA.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.284] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0287.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\m-hbCyWcA.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\m-hbcywca.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.285] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=48583) returned 1 [0287.285] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.285] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.285] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.285] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.285] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.285] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0287.285] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.286] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.286] GetTickCount () returned 0x1187eb3 [0287.286] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe68 [0287.286] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.286] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbdc7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.286] SetLastError (dwErrCode=0x0) [0287.286] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.288] GetLastError () returned 0x0 [0287.288] GetLastError () returned 0x0 [0287.288] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbec7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.288] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.288] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbfc7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.288] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd18e0c13, dwHighDateTime=0x1d5fd73)) [0287.288] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe68 [0287.288] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.288] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.288] GetProcessHeap () returned 0xa10000 [0287.288] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xbdc7) returned 0xa3e6a0 [0287.288] GetSystemDefaultLangID () returned 0xa20409 [0287.288] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.288] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xbdc7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xbdc7, lpOverlapped=0x0) returned 1 [0287.291] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.291] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xbdc7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xbdc7, lpOverlapped=0x0) returned 1 [0287.292] GetProcessHeap () returned 0xa10000 [0287.292] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.293] CloseHandle (hObject=0x26c) returned 1 [0287.293] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.293] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0287.293] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.293] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe68 [0287.293] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\m-hbCyWcA.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\m-hbcywca.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\m-hbCyWcA.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\m-hbcywca.xlsx.nefilim")) returned 1 [0287.294] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe68 | out: hHeap=0x28d0000) returned 1 [0287.294] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.294] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0287.294] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0287.295] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0287.295] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe00 [0287.295] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.295] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.295] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe58 [0287.295] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbeb0 [0287.295] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Music\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2000002, ftCreationTime.dwLowDateTime=0xf, ftCreationTime.dwHighDateTime=0x16000016, ftLastAccessTime.dwLowDateTime=0xa1f298, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x779b15ca, ftLastWriteTime.dwHighDateTime=0x18000119, nFileSizeHigh=0x28d0000, nFileSizeLow=0x28d0000, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01붘ʍ븀ʍF")) returned 0xffffffff [0287.296] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbeb0 | out: hHeap=0x28d0000) returned 1 [0287.296] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0287.296] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.296] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0287.296] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0287.297] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0287.297] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0287.297] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0287.297] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0287.297] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0287.297] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0287.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.297] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0287.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe48 [0287.297] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbea0 [0287.297] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Pictures\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xf, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0xa1f298, ftLastAccessTime.dwHighDateTime=0x2000002, ftLastWriteTime.dwLowDateTime=0x779b15ca, ftLastWriteTime.dwHighDateTime=0x16000016, nFileSizeHigh=0x28d0000, nFileSizeLow=0x28d0000, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01뷰ʍ붘ʍL")) returned 0xffffffff [0287.297] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0287.298] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.298] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0287.298] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="...") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="windows") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="$RECYCLE.BIN") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="rsa") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="NTDETECT.COM") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="ntldr") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="MSDOS.SYS") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="IO.SYS") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="boot.ini") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="AUTOEXEC.BAT") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="ntuser.dat") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="desktop.ini") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="CONFIG.SYS") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="RECYCLER") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="BOOTSECT.BAK") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="bootmgr") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="programdata") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="appdata") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="program files") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="program files (x86)") returned -1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="microsoft") returned 1 [0287.298] lstrcmpiW (lpString1="My Shapes", lpString2="sophos") returned -1 [0287.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0287.299] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe48 [0287.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbea0 [0287.299] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0287.300] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.300] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0287.301] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.301] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.301] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0287.301] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0287.301] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1a0f60e, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1a0f60e, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="Favorites.vssx", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0287.301] lstrcmpiW (lpString1="Favorites.vssx", lpString2=".") returned 1 [0287.301] lstrcmpiW (lpString1="Favorites.vssx", lpString2="..") returned 1 [0287.301] lstrcmpiW (lpString1="Favorites.vssx", lpString2="...") returned 1 [0287.301] lstrcmpiW (lpString1="Favorites.vssx", lpString2="windows") returned -1 [0287.301] lstrcmpiW (lpString1="Favorites.vssx", lpString2="$RECYCLE.BIN") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="rsa") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NTDETECT.COM") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntldr") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="MSDOS.SYS") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="IO.SYS") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="boot.ini") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="AUTOEXEC.BAT") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntuser.dat") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="desktop.ini") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="CONFIG.SYS") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="RECYCLER") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="BOOTSECT.BAK") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="bootmgr") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="programdata") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="appdata") returned 1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="program files") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="program files (x86)") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="microsoft") returned -1 [0287.302] lstrcmpiW (lpString1="Favorites.vssx", lpString2="sophos") returned -1 [0287.302] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0287.302] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0287.302] PathFindExtensionW (pszPath="Favorites.vssx") returned=".vssx" [0287.302] lstrcmpiW (lpString1=".vssx", lpString2=".exe") returned 1 [0287.302] lstrcmpiW (lpString1=".vssx", lpString2=".log") returned 1 [0287.302] lstrcmpiW (lpString1=".vssx", lpString2=".cab") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".cmd") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".com") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".cpl") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".ini") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".dll") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".url") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".ttf") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".mp3") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".pif") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".mp4") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".NEFILIM") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".msi") returned 1 [0287.303] lstrcmpiW (lpString1=".vssx", lpString2=".lnk") returned 1 [0287.303] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.303] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de798 [0287.303] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\favorites.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.304] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=0) returned 1 [0287.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.304] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.304] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0287.304] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0287.304] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.305] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.307] GetTickCount () returned 0x1187ec3 [0287.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbea0 [0287.307] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0287.307] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.307] SetLastError (dwErrCode=0x0) [0287.307] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.308] GetLastError () returned 0x0 [0287.308] GetLastError () returned 0x0 [0287.308] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.308] WriteFile (in: hFile=0x270, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.309] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.309] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1906dbc, dwHighDateTime=0x1d5fd73)) [0287.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0287.309] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0287.309] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.309] GetProcessHeap () returned 0xa10000 [0287.309] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x0) returned 0xa33180 [0287.309] GetSystemDefaultLangID () returned 0xa20409 [0287.309] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.309] ReadFile (in: hFile=0x270, lpBuffer=0xa33180, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa33180*, lpNumberOfBytesRead=0x26ee94c*=0x0, lpOverlapped=0x0) returned 1 [0287.309] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.309] WriteFile (in: hFile=0x270, lpBuffer=0xa33180*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa33180*, lpNumberOfBytesWritten=0x26ee940*=0x0, lpOverlapped=0x0) returned 1 [0287.309] GetProcessHeap () returned 0xa10000 [0287.309] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa33180 | out: hHeap=0xa10000) returned 1 [0287.309] CloseHandle (hObject=0x270) returned 1 [0287.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0287.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0287.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.310] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.310] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0287.310] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\favorites.vssx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\favorites.vssx.nefilim")) returned 1 [0287.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.311] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de798 | out: hHeap=0x28d0000) returned 1 [0287.311] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 1 [0287.311] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="...") returned 1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="windows") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="$RECYCLE.BIN") returned 1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="rsa") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="NTDETECT.COM") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="ntldr") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="MSDOS.SYS") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="IO.SYS") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="boot.ini") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="AUTOEXEC.BAT") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="ntuser.dat") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="desktop.ini") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="CONFIG.SYS") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="RECYCLER") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="BOOTSECT.BAK") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="bootmgr") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="programdata") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="appdata") returned -1 [0287.311] lstrcmpiW (lpString1="_private", lpString2="program files") returned -1 [0287.312] lstrcmpiW (lpString1="_private", lpString2="program files (x86)") returned -1 [0287.312] lstrcmpiW (lpString1="_private", lpString2="microsoft") returned -1 [0287.312] lstrcmpiW (lpString1="_private", lpString2="sophos") returned -1 [0287.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbea0 [0287.312] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0287.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de788 [0287.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de7f0 [0287.312] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de798, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0287.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.313] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de798, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0287.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.313] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x28de798, dwReserved1=0x3000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="$RECYCLE.BIN") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="NTDETECT.COM") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="ntldr") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="MSDOS.SYS") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="IO.SYS") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="boot.ini") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="AUTOEXEC.BAT") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="desktop.ini") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="CONFIG.SYS") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="RECYCLER") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="BOOTSECT.BAK") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="microsoft") returned -1 [0287.314] lstrcmpiW (lpString1="folder.ico", lpString2="sophos") returned -1 [0287.315] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de868 [0287.315] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f0 | out: hHeap=0x28d0000) returned 1 [0287.315] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0287.315] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0287.315] lstrcmpiW (lpString1="folder.ico", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.315] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de7f0 [0287.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.318] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=29926) returned 1 [0287.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.318] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.318] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.318] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.319] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.319] GetTickCount () returned 0x1187ed2 [0287.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8e0 [0287.319] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8e0 | out: hHeap=0x28d0000) returned 1 [0287.319] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x74e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.320] SetLastError (dwErrCode=0x0) [0287.320] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.322] GetLastError () returned 0x0 [0287.322] GetLastError () returned 0x0 [0287.322] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x75e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.322] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.322] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x76e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.322] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd192ce52, dwHighDateTime=0x1d5fd73)) [0287.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de8e0 [0287.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8e0 | out: hHeap=0x28d0000) returned 1 [0287.322] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.322] GetProcessHeap () returned 0xa10000 [0287.322] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x74e6) returned 0xa406b0 [0287.322] GetSystemDefaultLangID () returned 0xa20409 [0287.322] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.322] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x74e6, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x74e6, lpOverlapped=0x0) returned 1 [0287.325] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.325] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x74e6, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x74e6, lpOverlapped=0x0) returned 1 [0287.326] GetProcessHeap () returned 0xa10000 [0287.326] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.326] CloseHandle (hObject=0x274) returned 1 [0287.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.326] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de8e0 [0287.326] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico.nefilim")) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8e0 | out: hHeap=0x28d0000) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f0 | out: hHeap=0x28d0000) returned 1 [0287.327] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x28de798, dwReserved1=0x3000000, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0287.327] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de868 | out: hHeap=0x28d0000) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.327] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 0 [0287.327] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.327] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.327] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0287.328] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0287.329] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0287.329] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0287.329] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0287.329] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0287.329] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0287.329] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbe48 [0287.329] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbea0 [0287.329] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Videos\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x18000119, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x28d0000, nFileSizeLow=0x18000018, dwReserved0=0x28dbe00, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01뷰ʍ붘ʍH")) returned 0xffffffff [0287.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0287.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.329] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0287.329] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x5ee892ad, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0287.329] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0287.329] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0287.329] lstrcmpiW (lpString1="Outlook Files", lpString2="...") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="windows") returned -1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="$RECYCLE.BIN") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="rsa") returned -1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="NTDETECT.COM") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="ntldr") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="MSDOS.SYS") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="IO.SYS") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="boot.ini") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="AUTOEXEC.BAT") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="ntuser.dat") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="desktop.ini") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="CONFIG.SYS") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="RECYCLER") returned -1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="BOOTSECT.BAK") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="bootmgr") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="programdata") returned -1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="appdata") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="program files") returned -1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="program files (x86)") returned -1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="microsoft") returned 1 [0287.330] lstrcmpiW (lpString1="Outlook Files", lpString2="sophos") returned -1 [0287.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0287.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x76) returned 0x28dbe48 [0287.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0287.330] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0287.330] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de788 [0287.331] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0287.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.331] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe00, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0287.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.331] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x28dbe00, dwReserved1=0x18000119, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2=".") returned 1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="..") returned 1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="...") returned 1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="windows") returned -1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="$RECYCLE.BIN") returned 1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="rsa") returned -1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="NTDETECT.COM") returned -1 [0287.331] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="ntldr") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="MSDOS.SYS") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="IO.SYS") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="boot.ini") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="AUTOEXEC.BAT") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="ntuser.dat") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="desktop.ini") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="CONFIG.SYS") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="RECYCLER") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="BOOTSECT.BAK") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="bootmgr") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="programdata") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="appdata") returned 1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="program files") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="program files (x86)") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="microsoft") returned -1 [0287.332] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="sophos") returned -1 [0287.332] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de7f0 [0287.332] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.332] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst") returned=".pst" [0287.332] lstrcmpiW (lpString1=".pst", lpString2=".exe") returned 1 [0287.332] lstrcmpiW (lpString1=".pst", lpString2=".log") returned 1 [0287.332] lstrcmpiW (lpString1=".pst", lpString2=".cab") returned 1 [0287.332] lstrcmpiW (lpString1=".pst", lpString2=".cmd") returned 1 [0287.332] lstrcmpiW (lpString1=".pst", lpString2=".com") returned 1 [0287.332] lstrcmpiW (lpString1=".pst", lpString2=".cpl") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".ini") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".url") returned -1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".ttf") returned -1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".mp3") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".pif") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".mp4") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".NEFILIM") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0287.333] lstrcmpiW (lpString1=".pst", lpString2=".lnk") returned 1 [0287.333] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de878 [0287.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.333] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=271360) returned 1 [0287.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.334] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.334] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0287.334] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.334] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.335] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.336] GetTickCount () returned 0x1187ee2 [0287.336] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.336] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.336] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.336] SetLastError (dwErrCode=0x0) [0287.336] WriteFile (in: hFile=0x270, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.342] GetLastError () returned 0x0 [0287.342] GetLastError () returned 0x0 [0287.342] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x42500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.342] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.342] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x42600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.342] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd19532a6, dwHighDateTime=0x1d5fd73)) [0287.342] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.342] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.342] GetProcessHeap () returned 0xa10000 [0287.342] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x42400) returned 0xa3f6a8 [0287.343] GetSystemDefaultLangID () returned 0xa20409 [0287.343] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.344] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x42400, lpOverlapped=0x0) returned 1 [0287.365] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.365] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x42400, lpOverlapped=0x0) returned 1 [0287.367] GetProcessHeap () returned 0xa10000 [0287.367] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.367] CloseHandle (hObject=0x270) returned 1 [0287.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0287.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.367] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de900 [0287.367] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst.nefilim")) returned 1 [0287.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de900 | out: hHeap=0x28d0000) returned 1 [0287.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de878 | out: hHeap=0x28d0000) returned 1 [0287.368] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x28dbe00, dwReserved1=0x18000119, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 0 [0287.368] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0287.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f0 | out: hHeap=0x28d0000) returned 1 [0287.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0287.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.368] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x260c14a0, ftCreationTime.dwHighDateTime=0x1d5f119, ftLastAccessTime.dwLowDateTime=0x2c838730, ftLastAccessTime.dwHighDateTime=0x1d5e5e0, ftLastWriteTime.dwLowDateTime=0x2c838730, ftLastWriteTime.dwHighDateTime=0x1d5e5e0, nFileSizeHigh=0x0, nFileSizeLow=0x18e1, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="ovrabPBO.xlsx", cAlternateFileName="OVRABP~1.XLS")) returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2=".") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="..") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="...") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="windows") returned -1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="rsa") returned -1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="NTDETECT.COM") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="ntldr") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="MSDOS.SYS") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="IO.SYS") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="boot.ini") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.368] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="ntuser.dat") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="desktop.ini") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="RECYCLER") returned -1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="bootmgr") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="programdata") returned -1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="appdata") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="program files") returned -1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="program files (x86)") returned -1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="microsoft") returned 1 [0287.369] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="sophos") returned -1 [0287.369] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0287.369] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.369] PathFindExtensionW (pszPath="ovrabPBO.xlsx") returned=".xlsx" [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.369] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.370] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.370] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.370] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.370] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.370] lstrcmpiW (lpString1="ovrabPBO.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.370] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0287.370] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\ovrabPBO.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\ovrabpbo.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0287.370] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=6369) returned 1 [0287.370] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.370] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.370] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.370] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.370] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.370] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0287.370] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0287.371] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x100) returned 1 [0287.371] GetTickCount () returned 0x1187f01 [0287.371] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbe48 [0287.371] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.371] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18e1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.371] SetLastError (dwErrCode=0x0) [0287.371] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.372] GetLastError () returned 0x0 [0287.372] GetLastError () returned 0x0 [0287.372] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x19e1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.372] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0287.373] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1ae1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.373] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd199f9a6, dwHighDateTime=0x1d5fd73)) [0287.373] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe48 [0287.373] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.373] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0287.373] GetProcessHeap () returned 0xa10000 [0287.373] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x18e1) returned 0xa3e6a0 [0287.373] GetSystemDefaultLangID () returned 0xa20409 [0287.373] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.373] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x18e1, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x18e1, lpOverlapped=0x0) returned 1 [0287.374] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.374] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x18e1, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x18e1, lpOverlapped=0x0) returned 1 [0287.374] GetProcessHeap () returned 0xa10000 [0287.374] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0287.374] CloseHandle (hObject=0x26c) returned 1 [0287.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0287.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.374] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.374] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe48 [0287.374] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\ovrabPBO.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\ovrabpbo.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\ovrabPBO.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ovrabpbo.xlsx.nefilim")) returned 1 [0287.375] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0287.375] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0287.375] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x694422a0, ftCreationTime.dwHighDateTime=0x1d5ed2a, ftLastAccessTime.dwLowDateTime=0xf8dc3b20, ftLastAccessTime.dwHighDateTime=0x1d5edaf, ftLastWriteTime.dwLowDateTime=0xf8dc3b20, ftLastWriteTime.dwHighDateTime=0x1d5edaf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="VZmu9qCRRT5RN", cAlternateFileName="VZMU9Q~1")) returned 1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2=".") returned 1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="..") returned 1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="...") returned 1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="windows") returned -1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="$RECYCLE.BIN") returned 1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="rsa") returned 1 [0287.375] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="NTDETECT.COM") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="ntldr") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="MSDOS.SYS") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="IO.SYS") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="boot.ini") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="AUTOEXEC.BAT") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="ntuser.dat") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="desktop.ini") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="CONFIG.SYS") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="RECYCLER") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="BOOTSECT.BAK") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="bootmgr") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="programdata") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="appdata") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="program files") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="program files (x86)") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="microsoft") returned 1 [0287.376] lstrcmpiW (lpString1="VZmu9qCRRT5RN", lpString2="sophos") returned 1 [0287.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0287.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x76) returned 0x28dbe48 [0287.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0287.376] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0287.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0287.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0287.376] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de788 [0287.376] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x694422a0, ftCreationTime.dwHighDateTime=0x1d5ed2a, ftLastAccessTime.dwLowDateTime=0xf8dc3b20, ftLastAccessTime.dwHighDateTime=0x1d5edaf, ftLastWriteTime.dwLowDateTime=0xf8dc3b20, ftLastWriteTime.dwHighDateTime=0x1d5edaf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0287.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.377] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x694422a0, ftCreationTime.dwHighDateTime=0x1d5ed2a, ftLastAccessTime.dwLowDateTime=0xf8dc3b20, ftLastAccessTime.dwHighDateTime=0x1d5edaf, ftLastWriteTime.dwLowDateTime=0xf8dc3b20, ftLastWriteTime.dwHighDateTime=0x1d5edaf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0287.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.377] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdba193a0, ftCreationTime.dwHighDateTime=0x1d5e735, ftLastAccessTime.dwLowDateTime=0xd5a06650, ftLastAccessTime.dwHighDateTime=0x1d5ed3b, ftLastWriteTime.dwLowDateTime=0xd5a06650, ftLastWriteTime.dwHighDateTime=0x1d5ed3b, nFileSizeHigh=0x0, nFileSizeLow=0xcf1, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="1eRB6.rtf", cAlternateFileName="")) returned 1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2=".") returned 1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="..") returned 1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="...") returned 1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="windows") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="$RECYCLE.BIN") returned 1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="rsa") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="NTDETECT.COM") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="ntldr") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="MSDOS.SYS") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="IO.SYS") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="boot.ini") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="AUTOEXEC.BAT") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="ntuser.dat") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="desktop.ini") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="CONFIG.SYS") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="RECYCLER") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="BOOTSECT.BAK") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="bootmgr") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="programdata") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="appdata") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="program files") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="program files (x86)") returned -1 [0287.377] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="microsoft") returned -1 [0287.378] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="sophos") returned -1 [0287.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de7f0 [0287.378] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.378] PathFindExtensionW (pszPath="1eRB6.rtf") returned=".rtf" [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0287.378] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0287.378] lstrcmpiW (lpString1="1eRB6.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de868 [0287.378] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\1eRB6.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\1erb6.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.379] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=3313) returned 1 [0287.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.379] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.379] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0287.379] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.379] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.379] GetTickCount () returned 0x1187f11 [0287.379] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.379] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.380] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xcf1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.380] SetLastError (dwErrCode=0x0) [0287.380] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.380] GetLastError () returned 0x0 [0287.380] GetLastError () returned 0x0 [0287.381] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xdf1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.381] WriteFile (in: hFile=0x270, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.381] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xef1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.381] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd19c59df, dwHighDateTime=0x1d5fd73)) [0287.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.381] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.381] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.381] GetProcessHeap () returned 0xa10000 [0287.381] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xcf1) returned 0xa3f6a8 [0287.381] GetSystemDefaultLangID () returned 0xa20409 [0287.381] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.381] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xcf1, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xcf1, lpOverlapped=0x0) returned 1 [0287.381] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.381] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xcf1, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xcf1, lpOverlapped=0x0) returned 1 [0287.381] GetProcessHeap () returned 0xa10000 [0287.381] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.381] CloseHandle (hObject=0x270) returned 1 [0287.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0287.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.382] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de8e0 [0287.382] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\1eRB6.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\1erb6.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\1eRB6.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\1erb6.rtf.nefilim")) returned 1 [0287.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8e0 | out: hHeap=0x28d0000) returned 1 [0287.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de868 | out: hHeap=0x28d0000) returned 1 [0287.382] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e05f440, ftCreationTime.dwHighDateTime=0x1d5ea41, ftLastAccessTime.dwLowDateTime=0x4a4dfc70, ftLastAccessTime.dwHighDateTime=0x1d5e0f2, ftLastWriteTime.dwLowDateTime=0x4a4dfc70, ftLastWriteTime.dwHighDateTime=0x1d5e0f2, nFileSizeHigh=0x0, nFileSizeLow=0xffcf, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="Epiks.pptx", cAlternateFileName="EPIKS~1.PPT")) returned 1 [0287.382] lstrcmpiW (lpString1="Epiks.pptx", lpString2=".") returned 1 [0287.382] lstrcmpiW (lpString1="Epiks.pptx", lpString2="..") returned 1 [0287.382] lstrcmpiW (lpString1="Epiks.pptx", lpString2="...") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="windows") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="$RECYCLE.BIN") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="rsa") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="NTDETECT.COM") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="ntldr") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="MSDOS.SYS") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="IO.SYS") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="boot.ini") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="ntuser.dat") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="desktop.ini") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="CONFIG.SYS") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="RECYCLER") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="BOOTSECT.BAK") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="bootmgr") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="programdata") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="appdata") returned 1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="program files") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="program files (x86)") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="microsoft") returned -1 [0287.383] lstrcmpiW (lpString1="Epiks.pptx", lpString2="sophos") returned -1 [0287.383] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de868 [0287.383] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f0 | out: hHeap=0x28d0000) returned 1 [0287.383] PathFindExtensionW (pszPath="Epiks.pptx") returned=".pptx" [0287.383] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0287.384] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0287.384] lstrcmpiW (lpString1="Epiks.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.384] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de788 [0287.384] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\Epiks.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\epiks.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.385] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=65487) returned 1 [0287.385] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.385] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.385] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.385] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.385] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.385] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.385] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.388] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.390] GetTickCount () returned 0x1187f11 [0287.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.390] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xffcf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.390] SetLastError (dwErrCode=0x0) [0287.390] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.391] GetLastError () returned 0x0 [0287.391] GetLastError () returned 0x0 [0287.391] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x100cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.392] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.392] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x101cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.392] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd19ebbd1, dwHighDateTime=0x1d5fd73)) [0287.392] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.392] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.392] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.392] GetProcessHeap () returned 0xa10000 [0287.392] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xffcf) returned 0xa3f6a8 [0287.392] GetSystemDefaultLangID () returned 0xa20409 [0287.392] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.392] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xffcf, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xffcf, lpOverlapped=0x0) returned 1 [0287.397] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.397] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xffcf, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xffcf, lpOverlapped=0x0) returned 1 [0287.397] GetProcessHeap () returned 0xa10000 [0287.397] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.398] CloseHandle (hObject=0x270) returned 1 [0287.398] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.398] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.398] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.398] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.398] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de8e0 [0287.398] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\Epiks.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\epiks.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\Epiks.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\epiks.pptx.nefilim")) returned 1 [0287.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8e0 | out: hHeap=0x28d0000) returned 1 [0287.399] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.399] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16c87760, ftCreationTime.dwHighDateTime=0x1d5e84d, ftLastAccessTime.dwLowDateTime=0xb2756b10, ftLastAccessTime.dwHighDateTime=0x1d5eafe, ftLastWriteTime.dwLowDateTime=0xb2756b10, ftLastWriteTime.dwHighDateTime=0x1d5eafe, nFileSizeHigh=0x0, nFileSizeLow=0x76d4, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="JaVgvzqnvevrI2.ods", cAlternateFileName="JAVGVZ~1.ODS")) returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2=".") returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="..") returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="...") returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="windows") returned -1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="$RECYCLE.BIN") returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="rsa") returned -1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="NTDETECT.COM") returned -1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="ntldr") returned -1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="MSDOS.SYS") returned -1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="IO.SYS") returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="boot.ini") returned 1 [0287.399] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="AUTOEXEC.BAT") returned 1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="ntuser.dat") returned -1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="desktop.ini") returned 1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="CONFIG.SYS") returned 1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="RECYCLER") returned -1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="BOOTSECT.BAK") returned 1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="bootmgr") returned 1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="programdata") returned -1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="appdata") returned 1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="program files") returned -1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="program files (x86)") returned -1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="microsoft") returned -1 [0287.400] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="sophos") returned -1 [0287.400] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de788 [0287.400] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de868 | out: hHeap=0x28d0000) returned 1 [0287.400] PathFindExtensionW (pszPath="JaVgvzqnvevrI2.ods") returned=".ods" [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0287.400] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".NEFILIM") returned 1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0287.401] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0287.401] lstrcmpiW (lpString1="JaVgvzqnvevrI2.ods", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0287.401] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\JaVgvzqnvevrI2.ods" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\javgvzqnvevri2.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.401] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=30420) returned 1 [0287.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.401] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.401] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0287.401] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.402] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.402] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.402] GetTickCount () returned 0x1187f21 [0287.402] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.402] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.402] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x76d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.402] SetLastError (dwErrCode=0x0) [0287.403] WriteFile (in: hFile=0x270, lpBuffer=0x2d21d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21d50*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.404] GetLastError () returned 0x0 [0287.404] GetLastError () returned 0x0 [0287.404] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x77d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.404] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.404] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x78d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.404] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd19ebbd1, dwHighDateTime=0x1d5fd73)) [0287.404] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.404] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.404] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.404] GetProcessHeap () returned 0xa10000 [0287.404] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x76d4) returned 0xa3f6a8 [0287.404] GetSystemDefaultLangID () returned 0xa20409 [0287.404] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.404] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x76d4, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x76d4, lpOverlapped=0x0) returned 1 [0287.406] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.406] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x76d4, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x76d4, lpOverlapped=0x0) returned 1 [0287.408] GetProcessHeap () returned 0xa10000 [0287.408] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.410] CloseHandle (hObject=0x270) returned 1 [0287.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21d50 | out: hHeap=0x28d0000) returned 1 [0287.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.410] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.410] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de898 [0287.410] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\JaVgvzqnvevrI2.ods" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\javgvzqnvevri2.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\JaVgvzqnvevrI2.ods.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\javgvzqnvevri2.ods.nefilim")) returned 1 [0287.411] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de898 | out: hHeap=0x28d0000) returned 1 [0287.411] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.411] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x767dba0, ftCreationTime.dwHighDateTime=0x1d5e99a, ftLastAccessTime.dwLowDateTime=0x8319860, ftLastAccessTime.dwHighDateTime=0x1d5e304, ftLastWriteTime.dwLowDateTime=0x8319860, ftLastWriteTime.dwHighDateTime=0x1d5e304, nFileSizeHigh=0x0, nFileSizeLow=0x8904, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="jsZ PGxEtJ6tOeT06.csv", cAlternateFileName="JSZPGX~1.CSV")) returned 1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2=".") returned 1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="..") returned 1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="...") returned 1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="windows") returned -1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="$RECYCLE.BIN") returned 1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="rsa") returned -1 [0287.411] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="NTDETECT.COM") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="ntldr") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="MSDOS.SYS") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="IO.SYS") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="boot.ini") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="AUTOEXEC.BAT") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="ntuser.dat") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="desktop.ini") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="CONFIG.SYS") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="RECYCLER") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="BOOTSECT.BAK") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="bootmgr") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="programdata") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="appdata") returned 1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="program files") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="program files (x86)") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="microsoft") returned -1 [0287.412] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="sophos") returned -1 [0287.412] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0287.412] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.412] PathFindExtensionW (pszPath="jsZ PGxEtJ6tOeT06.csv") returned=".csv" [0287.412] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0287.412] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0287.412] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0287.412] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0287.413] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0287.413] lstrcmpiW (lpString1="jsZ PGxEtJ6tOeT06.csv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de788 [0287.413] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\jsZ PGxEtJ6tOeT06.csv" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\jsz pgxetj6toet06.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.413] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=35076) returned 1 [0287.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.413] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.414] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.414] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.414] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.414] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.414] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.416] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.418] GetTickCount () returned 0x1187f30 [0287.418] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.418] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.418] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8904, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.418] SetLastError (dwErrCode=0x0) [0287.418] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.420] GetLastError () returned 0x0 [0287.420] GetLastError () returned 0x0 [0287.420] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8a04, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.420] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.420] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8b04, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.420] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1a11d44, dwHighDateTime=0x1d5fd73)) [0287.420] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.420] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.420] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.420] GetProcessHeap () returned 0xa10000 [0287.420] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x8904) returned 0xa3f6a8 [0287.422] GetSystemDefaultLangID () returned 0xa20409 [0287.422] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.422] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x8904, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x8904, lpOverlapped=0x0) returned 1 [0287.425] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.425] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x8904, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x8904, lpOverlapped=0x0) returned 1 [0287.425] GetProcessHeap () returned 0xa10000 [0287.426] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.426] CloseHandle (hObject=0x270) returned 1 [0287.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.426] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.426] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de898 [0287.426] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\jsZ PGxEtJ6tOeT06.csv" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\jsz pgxetj6toet06.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\jsZ PGxEtJ6tOeT06.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\jsz pgxetj6toet06.csv.nefilim")) returned 1 [0287.427] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de898 | out: hHeap=0x28d0000) returned 1 [0287.427] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.427] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fc8e9d0, ftCreationTime.dwHighDateTime=0x1d5f070, ftLastAccessTime.dwLowDateTime=0x317deb20, ftLastAccessTime.dwHighDateTime=0x1d5ebc8, ftLastWriteTime.dwLowDateTime=0x317deb20, ftLastWriteTime.dwHighDateTime=0x1d5ebc8, nFileSizeHigh=0x0, nFileSizeLow=0x150de, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="Rq-gf37eNi4Lnhfo-.csv", cAlternateFileName="RQ-GF3~1.CSV")) returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2=".") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="..") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="...") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="windows") returned -1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="$RECYCLE.BIN") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="rsa") returned -1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="NTDETECT.COM") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="ntldr") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="MSDOS.SYS") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="IO.SYS") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="boot.ini") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="AUTOEXEC.BAT") returned 1 [0287.427] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="ntuser.dat") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="desktop.ini") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="CONFIG.SYS") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="RECYCLER") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="BOOTSECT.BAK") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="bootmgr") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="programdata") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="appdata") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="program files") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="program files (x86)") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="microsoft") returned 1 [0287.428] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="sophos") returned -1 [0287.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de788 [0287.428] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.428] PathFindExtensionW (pszPath="Rq-gf37eNi4Lnhfo-.csv") returned=".csv" [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0287.428] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0287.429] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0287.429] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0287.429] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0287.429] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0287.429] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0287.429] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0287.429] lstrcmpiW (lpString1="Rq-gf37eNi4Lnhfo-.csv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.429] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0287.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\Rq-gf37eNi4Lnhfo-.csv" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\rq-gf37eni4lnhfo-.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.429] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=86238) returned 1 [0287.429] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.429] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.429] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.429] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.429] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.429] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.430] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.430] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.430] GetTickCount () returned 0x1187f40 [0287.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.430] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.430] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x150de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.430] SetLastError (dwErrCode=0x0) [0287.431] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.432] GetLastError () returned 0x0 [0287.432] GetLastError () returned 0x0 [0287.432] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x151de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.432] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.432] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x152de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.432] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1a380b5, dwHighDateTime=0x1d5fd73)) [0287.432] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.432] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.432] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.432] GetProcessHeap () returned 0xa10000 [0287.432] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x150de) returned 0xa3f6a8 [0287.432] GetSystemDefaultLangID () returned 0xa20409 [0287.432] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.432] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x150de, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x150de, lpOverlapped=0x0) returned 1 [0287.438] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.439] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x150de, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x150de, lpOverlapped=0x0) returned 1 [0287.439] GetProcessHeap () returned 0xa10000 [0287.439] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.439] CloseHandle (hObject=0x270) returned 1 [0287.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de898 [0287.440] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\Rq-gf37eNi4Lnhfo-.csv" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\rq-gf37eni4lnhfo-.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\Rq-gf37eNi4Lnhfo-.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\rq-gf37eni4lnhfo-.csv.nefilim")) returned 1 [0287.440] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de898 | out: hHeap=0x28d0000) returned 1 [0287.440] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.440] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18a9fab0, ftCreationTime.dwHighDateTime=0x1d5ef76, ftLastAccessTime.dwLowDateTime=0x4f8be370, ftLastAccessTime.dwHighDateTime=0x1d5ecf8, ftLastWriteTime.dwLowDateTime=0x4f8be370, ftLastWriteTime.dwHighDateTime=0x1d5ecf8, nFileSizeHigh=0x0, nFileSizeLow=0xb5ca, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="YqcwZWmdxe.rtf", cAlternateFileName="YQCWZW~1.RTF")) returned 1 [0287.440] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2=".") returned 1 [0287.440] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="..") returned 1 [0287.440] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="...") returned 1 [0287.440] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="windows") returned 1 [0287.440] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="$RECYCLE.BIN") returned 1 [0287.440] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="rsa") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="NTDETECT.COM") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="ntldr") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="MSDOS.SYS") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="IO.SYS") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="boot.ini") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="ntuser.dat") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="desktop.ini") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="CONFIG.SYS") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="RECYCLER") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="BOOTSECT.BAK") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="bootmgr") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="programdata") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="appdata") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="program files") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="program files (x86)") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="microsoft") returned 1 [0287.441] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="sophos") returned 1 [0287.441] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de810 [0287.441] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.441] PathFindExtensionW (pszPath="YqcwZWmdxe.rtf") returned=".rtf" [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0287.441] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0287.442] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0287.442] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0287.442] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0287.442] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0287.442] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0287.442] lstrcmpiW (lpString1="YqcwZWmdxe.rtf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de788 [0287.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\YqcwZWmdxe.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\yqcwzwmdxe.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.442] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=46538) returned 1 [0287.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0287.442] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.442] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0287.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.442] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.443] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.443] GetTickCount () returned 0x1187f4f [0287.443] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dbec8 [0287.443] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec8 | out: hHeap=0x28d0000) returned 1 [0287.443] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb5ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.443] SetLastError (dwErrCode=0x0) [0287.443] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.444] GetLastError () returned 0x0 [0287.444] GetLastError () returned 0x0 [0287.444] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb6ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.444] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.444] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb7ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.444] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1a5e3a1, dwHighDateTime=0x1d5fd73)) [0287.444] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.444] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.444] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.445] GetProcessHeap () returned 0xa10000 [0287.445] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xb5ca) returned 0xa3f6a8 [0287.445] GetSystemDefaultLangID () returned 0xa20409 [0287.445] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.445] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xb5ca, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xb5ca, lpOverlapped=0x0) returned 1 [0287.447] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.447] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xb5ca, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xb5ca, lpOverlapped=0x0) returned 1 [0287.447] GetProcessHeap () returned 0xa10000 [0287.447] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.449] CloseHandle (hObject=0x270) returned 1 [0287.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0287.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de888 [0287.449] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\YqcwZWmdxe.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\yqcwzwmdxe.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\YqcwZWmdxe.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\yqcwzwmdxe.rtf.nefilim")) returned 1 [0287.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de888 | out: hHeap=0x28d0000) returned 1 [0287.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.450] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cb00e90, ftCreationTime.dwHighDateTime=0x1d5ef2c, ftLastAccessTime.dwLowDateTime=0x54205f20, ftLastAccessTime.dwHighDateTime=0x1d5ea18, ftLastWriteTime.dwLowDateTime=0x54205f20, ftLastWriteTime.dwHighDateTime=0x1d5ea18, nFileSizeHigh=0x0, nFileSizeLow=0x17291, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="YTguFzgRAkhV.xlsx", cAlternateFileName="YTGUFZ~1.XLS")) returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2=".") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="..") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="...") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="windows") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="rsa") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="NTDETECT.COM") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="ntldr") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="MSDOS.SYS") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="IO.SYS") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="boot.ini") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.450] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="ntuser.dat") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="desktop.ini") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="RECYCLER") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="bootmgr") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="programdata") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="appdata") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="program files") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="program files (x86)") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="microsoft") returned 1 [0287.451] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="sophos") returned 1 [0287.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de788 [0287.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.451] PathFindExtensionW (pszPath="YTguFzgRAkhV.xlsx") returned=".xlsx" [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.451] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.452] lstrcmpiW (lpString1="YTguFzgRAkhV.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28de810 [0287.452] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\YTguFzgRAkhV.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\ytgufzgrakhv.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.452] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=94865) returned 1 [0287.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.452] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.452] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.452] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.452] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.455] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.456] GetTickCount () returned 0x1187f5f [0287.456] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea10 [0287.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea10 | out: hHeap=0x28d0000) returned 1 [0287.457] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x17291, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.457] SetLastError (dwErrCode=0x0) [0287.457] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.458] GetLastError () returned 0x0 [0287.458] GetLastError () returned 0x0 [0287.458] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x17391, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.458] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.458] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x17491, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.458] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1a84950, dwHighDateTime=0x1d5fd73)) [0287.458] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.458] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.458] GetProcessHeap () returned 0xa10000 [0287.458] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x17291) returned 0xa3f6a8 [0287.460] GetSystemDefaultLangID () returned 0xa20409 [0287.460] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.460] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x17291, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x17291, lpOverlapped=0x0) returned 1 [0287.467] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.467] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x17291, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x17291, lpOverlapped=0x0) returned 1 [0287.467] GetProcessHeap () returned 0xa10000 [0287.467] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.467] CloseHandle (hObject=0x270) returned 1 [0287.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0287.468] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\YTguFzgRAkhV.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\ytgufzgrakhv.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\YTguFzgRAkhV.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\ytgufzgrakhv.xlsx.nefilim")) returned 1 [0287.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0287.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.469] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e36950, ftCreationTime.dwHighDateTime=0x1d5e2fc, ftLastAccessTime.dwLowDateTime=0x4bc2c410, ftLastAccessTime.dwHighDateTime=0x1d5edd5, ftLastWriteTime.dwLowDateTime=0x4bc2c410, ftLastWriteTime.dwHighDateTime=0x1d5edd5, nFileSizeHigh=0x0, nFileSizeLow=0x16194, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="zJkVd.docx", cAlternateFileName="ZJKVD~1.DOC")) returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2=".") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="..") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="...") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="windows") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="$RECYCLE.BIN") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="rsa") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="NTDETECT.COM") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="ntldr") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="MSDOS.SYS") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="IO.SYS") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="boot.ini") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="AUTOEXEC.BAT") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="ntuser.dat") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="desktop.ini") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="CONFIG.SYS") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="RECYCLER") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="BOOTSECT.BAK") returned 1 [0287.469] lstrcmpiW (lpString1="zJkVd.docx", lpString2="bootmgr") returned 1 [0287.470] lstrcmpiW (lpString1="zJkVd.docx", lpString2="programdata") returned 1 [0287.470] lstrcmpiW (lpString1="zJkVd.docx", lpString2="appdata") returned 1 [0287.470] lstrcmpiW (lpString1="zJkVd.docx", lpString2="program files") returned 1 [0287.470] lstrcmpiW (lpString1="zJkVd.docx", lpString2="program files (x86)") returned 1 [0287.470] lstrcmpiW (lpString1="zJkVd.docx", lpString2="microsoft") returned 1 [0287.470] lstrcmpiW (lpString1="zJkVd.docx", lpString2="sophos") returned 1 [0287.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de810 [0287.470] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.470] PathFindExtensionW (pszPath="zJkVd.docx") returned=".docx" [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0287.470] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0287.471] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0287.471] lstrcmpiW (lpString1="zJkVd.docx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de788 [0287.471] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\zJkVd.docx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\zjkvd.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0287.471] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=90516) returned 1 [0287.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.471] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.471] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0287.471] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0287.472] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0287.472] GetTickCount () returned 0x1187f6f [0287.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de968 [0287.473] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de968 | out: hHeap=0x28d0000) returned 1 [0287.473] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16194, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.473] SetLastError (dwErrCode=0x0) [0287.473] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.474] GetLastError () returned 0x0 [0287.474] GetLastError () returned 0x0 [0287.474] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16294, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.474] WriteFile (in: hFile=0x270, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0287.475] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16394, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.475] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd1aaa888, dwHighDateTime=0x1d5fd73)) [0287.475] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.475] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.475] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0287.475] GetProcessHeap () returned 0xa10000 [0287.475] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16194) returned 0xa3f6a8 [0287.475] GetSystemDefaultLangID () returned 0xa20409 [0287.475] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.475] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x16194, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x16194, lpOverlapped=0x0) returned 1 [0287.479] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.479] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x16194, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x16194, lpOverlapped=0x0) returned 1 [0287.480] GetProcessHeap () returned 0xa10000 [0287.480] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0287.480] CloseHandle (hObject=0x270) returned 1 [0287.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0287.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0287.480] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\zJkVd.docx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\zjkvd.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\zJkVd.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\zjkvd.docx.nefilim")) returned 1 [0287.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0287.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0287.481] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7793d130, ftCreationTime.dwHighDateTime=0x1d5efdb, ftLastAccessTime.dwLowDateTime=0xd5079350, ftLastAccessTime.dwHighDateTime=0x1d5ec2b, ftLastWriteTime.dwLowDateTime=0xd5079350, ftLastWriteTime.dwHighDateTime=0x1d5ec2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="_Tu_", cAlternateFileName="")) returned 1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2=".") returned 1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="..") returned 1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="...") returned 1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="windows") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="$RECYCLE.BIN") returned 1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="rsa") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="NTDETECT.COM") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="ntldr") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="MSDOS.SYS") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="IO.SYS") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="boot.ini") returned -1 [0287.481] lstrcmpiW (lpString1="_Tu_", lpString2="AUTOEXEC.BAT") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="ntuser.dat") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="desktop.ini") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="CONFIG.SYS") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="RECYCLER") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="BOOTSECT.BAK") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="bootmgr") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="programdata") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="appdata") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="program files") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="program files (x86)") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="microsoft") returned -1 [0287.482] lstrcmpiW (lpString1="_Tu_", lpString2="sophos") returned -1 [0287.482] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de788 [0287.482] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de810 | out: hHeap=0x28d0000) returned 1 [0287.482] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f0 [0287.482] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28deca0 [0287.482] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded08 [0287.482] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7793d130, ftCreationTime.dwHighDateTime=0x1d5efdb, ftLastAccessTime.dwLowDateTime=0xd5079350, ftLastAccessTime.dwHighDateTime=0x1d5ec2b, ftLastWriteTime.dwLowDateTime=0xd5079350, ftLastWriteTime.dwHighDateTime=0x1d5ec2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0287.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.482] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7793d130, ftCreationTime.dwHighDateTime=0x1d5efdb, ftLastAccessTime.dwLowDateTime=0xd5079350, ftLastAccessTime.dwHighDateTime=0x1d5ec2b, ftLastWriteTime.dwLowDateTime=0xd5079350, ftLastWriteTime.dwHighDateTime=0x1d5ec2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0287.483] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.483] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.483] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dddd360, ftCreationTime.dwHighDateTime=0x1d5e8b4, ftLastAccessTime.dwLowDateTime=0x8fcd1f90, ftLastAccessTime.dwHighDateTime=0x1d5e4eb, ftLastWriteTime.dwLowDateTime=0x8fcd1f90, ftLastWriteTime.dwHighDateTime=0x1d5e4eb, nFileSizeHigh=0x0, nFileSizeLow=0x3250, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="5kamX-Qff.docx", cAlternateFileName="5KAMX-~1.DOC")) returned 1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2=".") returned 1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="..") returned 1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="...") returned 1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="windows") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="$RECYCLE.BIN") returned 1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="rsa") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="NTDETECT.COM") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="ntldr") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="MSDOS.SYS") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="IO.SYS") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="boot.ini") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="AUTOEXEC.BAT") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="ntuser.dat") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="desktop.ini") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="CONFIG.SYS") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="RECYCLER") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="BOOTSECT.BAK") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="bootmgr") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="programdata") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="appdata") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="program files") returned -1 [0287.483] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="program files (x86)") returned -1 [0287.484] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="microsoft") returned -1 [0287.484] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="sophos") returned -1 [0287.484] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded80 [0287.484] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.484] PathFindExtensionW (pszPath="5kamX-Qff.docx") returned=".docx" [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0287.484] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0287.484] lstrcmpiW (lpString1="5kamX-Qff.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.484] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dee08 [0287.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\5kamX-Qff.docx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\5kamx-qff.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.486] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=12880) returned 1 [0287.486] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.486] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.486] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.486] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.486] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.486] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.486] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.488] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.490] GetTickCount () returned 0x1187f7e [0287.490] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf0 [0287.490] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf0 | out: hHeap=0x28d0000) returned 1 [0287.490] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.490] SetLastError (dwErrCode=0x0) [0287.490] WriteFile (in: hFile=0x274, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.492] GetLastError () returned 0x0 [0287.492] GetLastError () returned 0x0 [0287.492] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.492] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.492] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.492] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1ad0ab6, dwHighDateTime=0x1d5fd73)) [0287.492] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.492] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.492] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.492] GetProcessHeap () returned 0xa10000 [0287.492] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3250) returned 0xa406b0 [0287.492] GetSystemDefaultLangID () returned 0xa20409 [0287.492] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.492] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x3250, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x3250, lpOverlapped=0x0) returned 1 [0287.493] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.493] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x3250, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x3250, lpOverlapped=0x0) returned 1 [0287.493] GetProcessHeap () returned 0xa10000 [0287.494] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.494] CloseHandle (hObject=0x274) returned 1 [0287.494] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.494] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.494] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.494] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.494] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee90 [0287.494] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\5kamX-Qff.docx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\5kamx-qff.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\5kamX-Qff.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\5kamx-qff.docx.nefilim")) returned 1 [0287.495] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee90 | out: hHeap=0x28d0000) returned 1 [0287.495] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee08 | out: hHeap=0x28d0000) returned 1 [0287.495] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda78250, ftCreationTime.dwHighDateTime=0x1d5e4fd, ftLastAccessTime.dwLowDateTime=0xeb7395a0, ftLastAccessTime.dwHighDateTime=0x1d5e305, ftLastWriteTime.dwLowDateTime=0xeb7395a0, ftLastWriteTime.dwHighDateTime=0x1d5e305, nFileSizeHigh=0x0, nFileSizeLow=0xe9cf, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="83Qq_8eJBaRNqBDCiA9.pptx", cAlternateFileName="83QQ_8~1.PPT")) returned 1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2=".") returned 1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="..") returned 1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="...") returned 1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="windows") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="$RECYCLE.BIN") returned 1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="rsa") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="NTDETECT.COM") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="ntldr") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="MSDOS.SYS") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="IO.SYS") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="boot.ini") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="AUTOEXEC.BAT") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="ntuser.dat") returned -1 [0287.495] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="desktop.ini") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="CONFIG.SYS") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="RECYCLER") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="BOOTSECT.BAK") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="bootmgr") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="programdata") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="appdata") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="program files") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="program files (x86)") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="microsoft") returned -1 [0287.496] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="sophos") returned -1 [0287.496] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee08 [0287.496] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded80 | out: hHeap=0x28d0000) returned 1 [0287.496] PathFindExtensionW (pszPath="83Qq_8eJBaRNqBDCiA9.pptx") returned=".pptx" [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0287.496] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0287.497] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0287.497] lstrcmpiW (lpString1="83Qq_8eJBaRNqBDCiA9.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded08 [0287.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\83Qq_8eJBaRNqBDCiA9.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\83qq_8ejbarnqbdcia9.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.497] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=59855) returned 1 [0287.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.497] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.497] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.497] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0287.497] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.498] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.498] GetTickCount () returned 0x1187f7e [0287.498] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb28 [0287.498] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb28 | out: hHeap=0x28d0000) returned 1 [0287.498] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe9cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.498] SetLastError (dwErrCode=0x0) [0287.498] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.499] GetLastError () returned 0x0 [0287.499] GetLastError () returned 0x0 [0287.500] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xeacf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.500] WriteFile (in: hFile=0x274, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.500] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xebcf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.500] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1ad0ab6, dwHighDateTime=0x1d5fd73)) [0287.500] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.500] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.500] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.500] GetProcessHeap () returned 0xa10000 [0287.500] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe9cf) returned 0xa406b0 [0287.501] GetSystemDefaultLangID () returned 0xa20409 [0287.501] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.501] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0xe9cf, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0xe9cf, lpOverlapped=0x0) returned 1 [0287.505] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.505] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0xe9cf, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0xe9cf, lpOverlapped=0x0) returned 1 [0287.506] GetProcessHeap () returned 0xa10000 [0287.506] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.507] CloseHandle (hObject=0x274) returned 1 [0287.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0287.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.508] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.508] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28deea0 [0287.508] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\83Qq_8eJBaRNqBDCiA9.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\83qq_8ejbarnqbdcia9.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\83Qq_8eJBaRNqBDCiA9.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\83qq_8ejbarnqbdcia9.pptx.nefilim")) returned 1 [0287.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deea0 | out: hHeap=0x28d0000) returned 1 [0287.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.509] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab0c1230, ftCreationTime.dwHighDateTime=0x1d5eb25, ftLastAccessTime.dwLowDateTime=0x171bb8f0, ftLastAccessTime.dwHighDateTime=0x1d5eae9, ftLastWriteTime.dwLowDateTime=0x171bb8f0, ftLastWriteTime.dwHighDateTime=0x1d5eae9, nFileSizeHigh=0x0, nFileSizeLow=0x18d80, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="A3oHZ--csv5Gz_fdCK.odp", cAlternateFileName="A3OHZ-~1.ODP")) returned 1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2=".") returned 1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="..") returned 1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="...") returned 1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="windows") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="$RECYCLE.BIN") returned 1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="rsa") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="NTDETECT.COM") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="ntldr") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="MSDOS.SYS") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="IO.SYS") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="boot.ini") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="AUTOEXEC.BAT") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="ntuser.dat") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="desktop.ini") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="CONFIG.SYS") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="RECYCLER") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="BOOTSECT.BAK") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="bootmgr") returned -1 [0287.509] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="programdata") returned -1 [0287.510] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="appdata") returned -1 [0287.510] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="program files") returned -1 [0287.510] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="program files (x86)") returned -1 [0287.510] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="microsoft") returned -1 [0287.510] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="sophos") returned -1 [0287.510] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded08 [0287.510] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee08 | out: hHeap=0x28d0000) returned 1 [0287.510] PathFindExtensionW (pszPath="A3oHZ--csv5Gz_fdCK.odp") returned=".odp" [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0287.510] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0287.510] lstrcmpiW (lpString1="A3oHZ--csv5Gz_fdCK.odp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.510] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deda0 [0287.510] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\A3oHZ--csv5Gz_fdCK.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\a3ohz--csv5gz_fdck.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.511] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=101760) returned 1 [0287.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.511] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.511] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0287.511] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.513] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.513] GetTickCount () returned 0x1187f8e [0287.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb60 [0287.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb60 | out: hHeap=0x28d0000) returned 1 [0287.513] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.513] SetLastError (dwErrCode=0x0) [0287.513] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.514] GetLastError () returned 0x0 [0287.514] GetLastError () returned 0x0 [0287.514] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.514] WriteFile (in: hFile=0x274, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.514] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1af6dd5, dwHighDateTime=0x1d5fd73)) [0287.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.514] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.514] GetProcessHeap () returned 0xa10000 [0287.514] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x18d80) returned 0xa406b0 [0287.515] GetSystemDefaultLangID () returned 0xa20409 [0287.515] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.515] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x18d80, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x18d80, lpOverlapped=0x0) returned 1 [0287.521] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.521] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x18d80, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x18d80, lpOverlapped=0x0) returned 1 [0287.522] GetProcessHeap () returned 0xa10000 [0287.522] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.522] CloseHandle (hObject=0x274) returned 1 [0287.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0287.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.522] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.522] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee38 [0287.522] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\A3oHZ--csv5Gz_fdCK.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\a3ohz--csv5gz_fdck.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\A3oHZ--csv5Gz_fdCK.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\a3ohz--csv5gz_fdck.odp.nefilim")) returned 1 [0287.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee38 | out: hHeap=0x28d0000) returned 1 [0287.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deda0 | out: hHeap=0x28d0000) returned 1 [0287.523] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f68920, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0x817ee430, ftLastAccessTime.dwHighDateTime=0x1d5efba, ftLastWriteTime.dwLowDateTime=0x817ee430, ftLastWriteTime.dwHighDateTime=0x1d5efba, nFileSizeHigh=0x0, nFileSizeLow=0xe6e2, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="cXXTM.odp", cAlternateFileName="")) returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2=".") returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="..") returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="...") returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="windows") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="$RECYCLE.BIN") returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="rsa") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="NTDETECT.COM") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="ntldr") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="MSDOS.SYS") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="IO.SYS") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="boot.ini") returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="AUTOEXEC.BAT") returned 1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="ntuser.dat") returned -1 [0287.523] lstrcmpiW (lpString1="cXXTM.odp", lpString2="desktop.ini") returned -1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="CONFIG.SYS") returned 1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="RECYCLER") returned -1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="BOOTSECT.BAK") returned 1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="bootmgr") returned 1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="programdata") returned -1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="appdata") returned 1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="program files") returned -1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="program files (x86)") returned -1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="microsoft") returned -1 [0287.524] lstrcmpiW (lpString1="cXXTM.odp", lpString2="sophos") returned -1 [0287.524] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28deda0 [0287.524] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.524] PathFindExtensionW (pszPath="cXXTM.odp") returned=".odp" [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0287.524] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0287.525] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0287.525] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0287.525] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0287.525] lstrcmpiW (lpString1="cXXTM.odp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded08 [0287.525] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\cXXTM.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\cxxtm.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.525] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=59106) returned 1 [0287.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.525] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.525] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0287.525] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.525] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.525] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.526] GetTickCount () returned 0x1187f9e [0287.526] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0287.526] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0287.526] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe6e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.526] SetLastError (dwErrCode=0x0) [0287.526] WriteFile (in: hFile=0x274, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.527] GetLastError () returned 0x0 [0287.527] GetLastError () returned 0x0 [0287.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe7e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.527] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe8e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.527] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1b1ceb1, dwHighDateTime=0x1d5fd73)) [0287.527] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.527] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.527] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.527] GetProcessHeap () returned 0xa10000 [0287.527] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe6e2) returned 0xa406b0 [0287.527] GetSystemDefaultLangID () returned 0xa20409 [0287.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.527] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0xe6e2, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0xe6e2, lpOverlapped=0x0) returned 1 [0287.530] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.530] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0xe6e2, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0xe6e2, lpOverlapped=0x0) returned 1 [0287.531] GetProcessHeap () returned 0xa10000 [0287.531] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.531] CloseHandle (hObject=0x274) returned 1 [0287.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0287.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dee18 [0287.531] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\cXXTM.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\cxxtm.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\cXXTM.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\cxxtm.odp.nefilim")) returned 1 [0287.532] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee18 | out: hHeap=0x28d0000) returned 1 [0287.532] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.532] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbeea4420, ftCreationTime.dwHighDateTime=0x1d5eb07, ftLastAccessTime.dwLowDateTime=0x2a9ae210, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0x2a9ae210, ftLastWriteTime.dwHighDateTime=0x1d5eb67, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="eTZdbxM4K", cAlternateFileName="ETZDBX~1")) returned 1 [0287.532] lstrcmpiW (lpString1="eTZdbxM4K", lpString2=".") returned 1 [0287.532] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="..") returned 1 [0287.532] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="...") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="windows") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="$RECYCLE.BIN") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="rsa") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="NTDETECT.COM") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="ntldr") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="MSDOS.SYS") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="IO.SYS") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="boot.ini") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="AUTOEXEC.BAT") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="ntuser.dat") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="desktop.ini") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="CONFIG.SYS") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="RECYCLER") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="BOOTSECT.BAK") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="bootmgr") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="programdata") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="appdata") returned 1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="program files") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="program files (x86)") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="microsoft") returned -1 [0287.533] lstrcmpiW (lpString1="eTZdbxM4K", lpString2="sophos") returned -1 [0287.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded08 [0287.533] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deda0 | out: hHeap=0x28d0000) returned 1 [0287.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded80 [0287.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dedf8 [0287.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dee70 [0287.533] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbeea4420, ftCreationTime.dwHighDateTime=0x1d5eb07, ftLastAccessTime.dwLowDateTime=0x2a9ae210, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0x2a9ae210, ftLastWriteTime.dwHighDateTime=0x1d5eb67, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0287.534] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0287.534] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbeea4420, ftCreationTime.dwHighDateTime=0x1d5eb07, ftLastAccessTime.dwLowDateTime=0x2a9ae210, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0x2a9ae210, ftLastWriteTime.dwHighDateTime=0x1d5eb67, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="..", cAlternateFileName="")) returned 1 [0287.534] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0287.534] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0287.534] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f6adff0, ftCreationTime.dwHighDateTime=0x1d5ed6b, ftLastAccessTime.dwLowDateTime=0xdf9ef780, ftLastAccessTime.dwHighDateTime=0x1d5e178, ftLastWriteTime.dwLowDateTime=0xdf9ef780, ftLastWriteTime.dwHighDateTime=0x1d5e178, nFileSizeHigh=0x0, nFileSizeLow=0x17a42, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="- PFeQrpj.doc", cAlternateFileName="-PFEQR~1.DOC")) returned 1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2=".") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="..") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="...") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="windows") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="$RECYCLE.BIN") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="rsa") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="NTDETECT.COM") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="ntldr") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="MSDOS.SYS") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="IO.SYS") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="boot.ini") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="AUTOEXEC.BAT") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="ntuser.dat") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="desktop.ini") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="CONFIG.SYS") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="RECYCLER") returned -1 [0287.534] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="BOOTSECT.BAK") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="bootmgr") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="programdata") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="appdata") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="program files") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="program files (x86)") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="microsoft") returned -1 [0287.535] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="sophos") returned -1 [0287.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deef8 [0287.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.535] PathFindExtensionW (pszPath="- PFeQrpj.doc") returned=".doc" [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".NEFILIM") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0287.535] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0287.536] lstrcmpiW (lpString1="- PFeQrpj.doc", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x2d22050 [0287.536] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\- PFeQrpj.doc" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\- pfeqrpj.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.536] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=96834) returned 1 [0287.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.536] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.536] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.536] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.536] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.536] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.537] GetTickCount () returned 0x1187fad [0287.537] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0287.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0287.537] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x17a42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.537] SetLastError (dwErrCode=0x0) [0287.537] WriteFile (in: hFile=0x278, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.538] GetLastError () returned 0x0 [0287.538] GetLastError () returned 0x0 [0287.538] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x17b42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.538] WriteFile (in: hFile=0x278, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.538] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x17c42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.538] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1b43151, dwHighDateTime=0x1d5fd73)) [0287.538] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.538] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.538] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.538] GetProcessHeap () returned 0xa10000 [0287.538] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x17a42) returned 0xa416b8 [0287.538] GetSystemDefaultLangID () returned 0xa20409 [0287.538] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.538] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x17a42, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x17a42, lpOverlapped=0x0) returned 1 [0287.544] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.544] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x17a42, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x17a42, lpOverlapped=0x0) returned 1 [0287.544] GetProcessHeap () returned 0xa10000 [0287.544] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.544] CloseHandle (hObject=0x278) returned 1 [0287.544] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.544] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.545] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d220e8 [0287.545] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\- PFeQrpj.doc" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\- pfeqrpj.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\- PFeQrpj.doc.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\- pfeqrpj.doc.nefilim")) returned 1 [0287.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d220e8 | out: hHeap=0x28d0000) returned 1 [0287.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.545] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedf72370, ftCreationTime.dwHighDateTime=0x1d5eb2d, ftLastAccessTime.dwLowDateTime=0x1465c720, ftLastAccessTime.dwHighDateTime=0x1d5e54b, ftLastWriteTime.dwLowDateTime=0x1465c720, ftLastWriteTime.dwHighDateTime=0x1d5e54b, nFileSizeHigh=0x0, nFileSizeLow=0x16842, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="039nHTo1Tej9C5lS8.pps", cAlternateFileName="039NHT~1.PPS")) returned 1 [0287.545] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2=".") returned 1 [0287.545] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="..") returned 1 [0287.545] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="...") returned 1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="windows") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="$RECYCLE.BIN") returned 1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="rsa") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="NTDETECT.COM") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="ntldr") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="MSDOS.SYS") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="IO.SYS") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="boot.ini") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="AUTOEXEC.BAT") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="ntuser.dat") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="desktop.ini") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="CONFIG.SYS") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="RECYCLER") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="BOOTSECT.BAK") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="bootmgr") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="programdata") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="appdata") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="program files") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="program files (x86)") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="microsoft") returned -1 [0287.546] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="sophos") returned -1 [0287.546] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0287.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deef8 | out: hHeap=0x28d0000) returned 1 [0287.546] PathFindExtensionW (pszPath="039nHTo1Tej9C5lS8.pps") returned=".pps" [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0287.546] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0287.547] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0287.547] lstrcmpiW (lpString1="039nHTo1Tej9C5lS8.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.547] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee70 [0287.547] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\039nHTo1Tej9C5lS8.pps" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\039nhto1tej9c5ls8.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.547] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=92226) returned 1 [0287.548] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.549] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.549] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.549] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.549] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0287.549] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.549] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.551] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.553] GetTickCount () returned 0x1187fbd [0287.553] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0287.553] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0287.553] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16842, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.553] SetLastError (dwErrCode=0x0) [0287.553] WriteFile (in: hFile=0x278, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.554] GetLastError () returned 0x0 [0287.554] GetLastError () returned 0x0 [0287.554] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16942, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.554] WriteFile (in: hFile=0x278, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.554] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16a42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.554] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1b693a2, dwHighDateTime=0x1d5fd73)) [0287.555] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.555] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.555] GetProcessHeap () returned 0xa10000 [0287.555] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16842) returned 0xa416b8 [0287.555] GetSystemDefaultLangID () returned 0xa20409 [0287.555] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.555] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x16842, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x16842, lpOverlapped=0x0) returned 1 [0287.561] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.561] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x16842, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x16842, lpOverlapped=0x0) returned 1 [0287.562] GetProcessHeap () returned 0xa10000 [0287.562] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.562] CloseHandle (hObject=0x278) returned 1 [0287.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0287.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28def18 [0287.562] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\039nHTo1Tej9C5lS8.pps" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\039nhto1tej9c5ls8.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\039nHTo1Tej9C5lS8.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\039nhto1tej9c5ls8.pps.nefilim")) returned 1 [0287.563] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def18 | out: hHeap=0x28d0000) returned 1 [0287.564] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.564] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fdfbd90, ftCreationTime.dwHighDateTime=0x1d5e1b3, ftLastAccessTime.dwLowDateTime=0xd0758050, ftLastAccessTime.dwHighDateTime=0x1d5e491, ftLastWriteTime.dwLowDateTime=0xd0758050, ftLastWriteTime.dwHighDateTime=0x1d5e491, nFileSizeHigh=0x0, nFileSizeLow=0x9d82, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="43nrGOpSESfC0d.pdf", cAlternateFileName="43NRGO~1.PDF")) returned 1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2=".") returned 1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="..") returned 1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="...") returned 1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="windows") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="$RECYCLE.BIN") returned 1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="rsa") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="NTDETECT.COM") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="ntldr") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="MSDOS.SYS") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="IO.SYS") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="boot.ini") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="AUTOEXEC.BAT") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="ntuser.dat") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="desktop.ini") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="CONFIG.SYS") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="RECYCLER") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="BOOTSECT.BAK") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="bootmgr") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="programdata") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="appdata") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="program files") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="program files (x86)") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="microsoft") returned -1 [0287.564] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="sophos") returned -1 [0287.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee70 [0287.564] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.565] PathFindExtensionW (pszPath="43nrGOpSESfC0d.pdf") returned=".pdf" [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".NEFILIM") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0287.565] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0287.565] lstrcmpiW (lpString1="43nrGOpSESfC0d.pdf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.565] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28def18 [0287.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\43nrGOpSESfC0d.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\43nrgopsesfc0d.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.565] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=40322) returned 1 [0287.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0287.566] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.566] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0287.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.566] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.566] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.566] GetTickCount () returned 0x1187fcc [0287.566] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de930 [0287.566] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de930 | out: hHeap=0x28d0000) returned 1 [0287.566] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9d82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.567] SetLastError (dwErrCode=0x0) [0287.567] WriteFile (in: hFile=0x278, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.567] GetLastError () returned 0x0 [0287.567] GetLastError () returned 0x0 [0287.567] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9e82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.568] WriteFile (in: hFile=0x278, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.568] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9f82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.568] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1b8f595, dwHighDateTime=0x1d5fd73)) [0287.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.568] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.568] GetProcessHeap () returned 0xa10000 [0287.568] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9d82) returned 0xa416b8 [0287.568] GetSystemDefaultLangID () returned 0xa20409 [0287.568] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.568] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x9d82, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x9d82, lpOverlapped=0x0) returned 1 [0287.570] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.570] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x9d82, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x9d82, lpOverlapped=0x0) returned 1 [0287.571] GetProcessHeap () returned 0xa10000 [0287.571] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.572] CloseHandle (hObject=0x278) returned 1 [0287.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0287.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d22050 [0287.573] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\43nrGOpSESfC0d.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\43nrgopsesfc0d.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\43nrGOpSESfC0d.pdf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\43nrgopsesfc0d.pdf.nefilim")) returned 1 [0287.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def18 | out: hHeap=0x28d0000) returned 1 [0287.573] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99845020, ftCreationTime.dwHighDateTime=0x1d5ec03, ftLastAccessTime.dwLowDateTime=0x42b8f080, ftLastAccessTime.dwHighDateTime=0x1d5e8ec, ftLastWriteTime.dwLowDateTime=0x42b8f080, ftLastWriteTime.dwHighDateTime=0x1d5e8ec, nFileSizeHigh=0x0, nFileSizeLow=0x4129, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="4H4S0a5QDPuh.pptx", cAlternateFileName="4H4S0A~1.PPT")) returned 1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2=".") returned 1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="..") returned 1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="...") returned 1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="windows") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="$RECYCLE.BIN") returned 1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="rsa") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="NTDETECT.COM") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="ntldr") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="MSDOS.SYS") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="IO.SYS") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="boot.ini") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="AUTOEXEC.BAT") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="ntuser.dat") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="desktop.ini") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="CONFIG.SYS") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="RECYCLER") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="BOOTSECT.BAK") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="bootmgr") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="programdata") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="appdata") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="program files") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="program files (x86)") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="microsoft") returned -1 [0287.574] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="sophos") returned -1 [0287.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28def18 [0287.574] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.574] PathFindExtensionW (pszPath="4H4S0a5QDPuh.pptx") returned=".pptx" [0287.574] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0287.574] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0287.574] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0287.574] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0287.575] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0287.575] lstrcmpiW (lpString1="4H4S0a5QDPuh.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee70 [0287.575] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\4H4S0a5QDPuh.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\4h4s0a5qdpuh.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.575] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=16681) returned 1 [0287.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.575] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.575] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.575] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.576] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.577] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.579] GetTickCount () returned 0x1187fdc [0287.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0287.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0287.579] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x4129, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.579] SetLastError (dwErrCode=0x0) [0287.579] WriteFile (in: hFile=0x278, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.580] GetLastError () returned 0x0 [0287.580] GetLastError () returned 0x0 [0287.580] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x4229, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.580] WriteFile (in: hFile=0x278, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.580] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x4329, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.580] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1bb5773, dwHighDateTime=0x1d5fd73)) [0287.580] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.580] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.580] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.580] GetProcessHeap () returned 0xa10000 [0287.580] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4129) returned 0xa416b8 [0287.582] GetSystemDefaultLangID () returned 0xa20409 [0287.582] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.582] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x4129, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x4129, lpOverlapped=0x0) returned 1 [0287.583] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.583] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x4129, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x4129, lpOverlapped=0x0) returned 1 [0287.583] GetProcessHeap () returned 0xa10000 [0287.583] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.583] CloseHandle (hObject=0x278) returned 1 [0287.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.583] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.583] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d22050 [0287.583] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\4H4S0a5QDPuh.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\4h4s0a5qdpuh.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\4H4S0a5QDPuh.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\4h4s0a5qdpuh.pptx.nefilim")) returned 1 [0287.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.584] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.584] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf4fced0, ftCreationTime.dwHighDateTime=0x1d5edc2, ftLastAccessTime.dwLowDateTime=0xce0a3cb0, ftLastAccessTime.dwHighDateTime=0x1d5ec94, ftLastWriteTime.dwLowDateTime=0xce0a3cb0, ftLastWriteTime.dwHighDateTime=0x1d5ec94, nFileSizeHigh=0x0, nFileSizeLow=0x14667, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="eHAVpOnF1W.pps", cAlternateFileName="EHAVPO~1.PPS")) returned 1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2=".") returned 1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="..") returned 1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="...") returned 1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="windows") returned -1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="$RECYCLE.BIN") returned 1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="rsa") returned -1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="NTDETECT.COM") returned -1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="ntldr") returned -1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="MSDOS.SYS") returned -1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="IO.SYS") returned -1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="boot.ini") returned 1 [0287.584] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="AUTOEXEC.BAT") returned 1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="ntuser.dat") returned -1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="desktop.ini") returned 1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="CONFIG.SYS") returned 1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="RECYCLER") returned -1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="BOOTSECT.BAK") returned 1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="bootmgr") returned 1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="programdata") returned -1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="appdata") returned 1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="program files") returned -1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="program files (x86)") returned -1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="microsoft") returned -1 [0287.585] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="sophos") returned -1 [0287.585] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee70 [0287.585] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def18 | out: hHeap=0x28d0000) returned 1 [0287.585] PathFindExtensionW (pszPath="eHAVpOnF1W.pps") returned=".pps" [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0287.585] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0287.586] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0287.586] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0287.586] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0287.586] lstrcmpiW (lpString1="eHAVpOnF1W.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28def08 [0287.586] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\eHAVpOnF1W.pps" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\ehavponf1w.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.586] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=83559) returned 1 [0287.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0287.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.586] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0287.586] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.586] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.586] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.587] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.587] GetTickCount () returned 0x1187fdc [0287.587] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0287.587] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0287.587] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x14667, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.587] SetLastError (dwErrCode=0x0) [0287.587] WriteFile (in: hFile=0x278, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.588] GetLastError () returned 0x0 [0287.588] GetLastError () returned 0x0 [0287.588] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x14767, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.588] WriteFile (in: hFile=0x278, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.588] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x14867, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.588] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1bb5773, dwHighDateTime=0x1d5fd73)) [0287.588] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28defa0 [0287.588] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28defa0 | out: hHeap=0x28d0000) returned 1 [0287.588] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.589] GetProcessHeap () returned 0xa10000 [0287.589] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14667) returned 0xa416b8 [0287.589] GetSystemDefaultLangID () returned 0xa20409 [0287.589] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.589] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x14667, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x14667, lpOverlapped=0x0) returned 1 [0287.595] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.595] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x14667, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x14667, lpOverlapped=0x0) returned 1 [0287.595] GetProcessHeap () returned 0xa10000 [0287.596] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.596] CloseHandle (hObject=0x278) returned 1 [0287.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0287.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.596] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0287.596] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\eHAVpOnF1W.pps" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\ehavponf1w.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\eHAVpOnF1W.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\ehavponf1w.pps.nefilim")) returned 1 [0287.597] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.597] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def08 | out: hHeap=0x28d0000) returned 1 [0287.597] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x182dbcc0, ftCreationTime.dwHighDateTime=0x1d5ebbb, ftLastAccessTime.dwLowDateTime=0x1dc39a90, ftLastAccessTime.dwHighDateTime=0x1d5ea96, ftLastWriteTime.dwLowDateTime=0x1dc39a90, ftLastWriteTime.dwHighDateTime=0x1d5ea96, nFileSizeHigh=0x0, nFileSizeLow=0x3056, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="mr6JAtYL-X64Hc.odp", cAlternateFileName="MR6JAT~1.ODP")) returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2=".") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="..") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="...") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="windows") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="$RECYCLE.BIN") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="rsa") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="NTDETECT.COM") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="ntldr") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="MSDOS.SYS") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="IO.SYS") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="boot.ini") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="AUTOEXEC.BAT") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="ntuser.dat") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="desktop.ini") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="CONFIG.SYS") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="RECYCLER") returned -1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="BOOTSECT.BAK") returned 1 [0287.597] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="bootmgr") returned 1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="programdata") returned -1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="appdata") returned 1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="program files") returned -1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="program files (x86)") returned -1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="microsoft") returned 1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="sophos") returned -1 [0287.598] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28def08 [0287.598] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.598] PathFindExtensionW (pszPath="mr6JAtYL-X64Hc.odp") returned=".odp" [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0287.598] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0287.598] lstrcmpiW (lpString1="mr6JAtYL-X64Hc.odp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0287.598] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0287.599] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\mr6JAtYL-X64Hc.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\mr6jatyl-x64hc.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.599] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=12374) returned 1 [0287.599] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.599] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.599] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.599] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.599] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.599] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.599] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.601] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.603] GetTickCount () returned 0x1187fec [0287.603] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea10 [0287.603] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea10 | out: hHeap=0x28d0000) returned 1 [0287.603] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x3056, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.604] SetLastError (dwErrCode=0x0) [0287.604] WriteFile (in: hFile=0x278, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.605] GetLastError () returned 0x0 [0287.605] GetLastError () returned 0x0 [0287.605] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x3156, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.605] WriteFile (in: hFile=0x278, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.605] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x3256, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.605] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1bdba1e, dwHighDateTime=0x1d5fd73)) [0287.605] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.605] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.605] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.605] GetProcessHeap () returned 0xa10000 [0287.605] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3056) returned 0xa416b8 [0287.605] GetSystemDefaultLangID () returned 0xa20409 [0287.605] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.605] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x3056, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x3056, lpOverlapped=0x0) returned 1 [0287.606] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.606] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x3056, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x3056, lpOverlapped=0x0) returned 1 [0287.607] GetProcessHeap () returned 0xa10000 [0287.607] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.607] CloseHandle (hObject=0x278) returned 1 [0287.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.607] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.607] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d220f8 [0287.607] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\mr6JAtYL-X64Hc.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\mr6jatyl-x64hc.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\mr6JAtYL-X64Hc.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\mr6jatyl-x64hc.odp.nefilim")) returned 1 [0287.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d220f8 | out: hHeap=0x28d0000) returned 1 [0287.608] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.608] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead9da0, ftCreationTime.dwHighDateTime=0x1d5eb39, ftLastAccessTime.dwLowDateTime=0x67c262c0, ftLastAccessTime.dwHighDateTime=0x1d5e6d6, ftLastWriteTime.dwLowDateTime=0x67c262c0, ftLastWriteTime.dwHighDateTime=0x1d5e6d6, nFileSizeHigh=0x0, nFileSizeLow=0x10e83, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="QsJxb-QI55Ak.odp", cAlternateFileName="QSJXB-~1.ODP")) returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2=".") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="..") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="...") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="windows") returned -1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="$RECYCLE.BIN") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="rsa") returned -1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="NTDETECT.COM") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="ntldr") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="MSDOS.SYS") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="IO.SYS") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="boot.ini") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="AUTOEXEC.BAT") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="ntuser.dat") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="desktop.ini") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="CONFIG.SYS") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="RECYCLER") returned -1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="BOOTSECT.BAK") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="bootmgr") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="programdata") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="appdata") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="program files") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="program files (x86)") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="microsoft") returned 1 [0287.608] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="sophos") returned -1 [0287.608] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee70 [0287.609] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def08 | out: hHeap=0x28d0000) returned 1 [0287.609] PathFindExtensionW (pszPath="QsJxb-QI55Ak.odp") returned=".odp" [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0287.609] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0287.609] lstrcmpiW (lpString1="QsJxb-QI55Ak.odp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28def08 [0287.609] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\QsJxb-QI55Ak.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\qsjxb-qi55ak.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.609] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=69251) returned 1 [0287.609] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.610] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.642] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.642] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.642] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.642] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.642] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.642] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.642] GetTickCount () returned 0x118801b [0287.643] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0287.643] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0287.643] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x10e83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.643] SetLastError (dwErrCode=0x0) [0287.643] WriteFile (in: hFile=0x278, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.644] GetLastError () returned 0x0 [0287.644] GetLastError () returned 0x0 [0287.644] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x10f83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.644] WriteFile (in: hFile=0x278, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.644] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x11083, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.644] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1c4e06d, dwHighDateTime=0x1d5fd73)) [0287.644] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28defa0 [0287.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28defa0 | out: hHeap=0x28d0000) returned 1 [0287.644] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.644] GetProcessHeap () returned 0xa10000 [0287.644] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x10e83) returned 0xa416b8 [0287.644] GetSystemDefaultLangID () returned 0xa20409 [0287.644] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.644] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x10e83, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x10e83, lpOverlapped=0x0) returned 1 [0287.650] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.650] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x10e83, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x10e83, lpOverlapped=0x0) returned 1 [0287.650] GetProcessHeap () returned 0xa10000 [0287.650] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.650] CloseHandle (hObject=0x278) returned 1 [0287.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.650] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0287.650] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\QsJxb-QI55Ak.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\qsjxb-qi55ak.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\QsJxb-QI55Ak.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\qsjxb-qi55ak.odp.nefilim")) returned 1 [0287.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def08 | out: hHeap=0x28d0000) returned 1 [0287.651] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64585850, ftCreationTime.dwHighDateTime=0x1d5e9ed, ftLastAccessTime.dwLowDateTime=0x6bfe100, ftLastAccessTime.dwHighDateTime=0x1d5ee6a, ftLastWriteTime.dwLowDateTime=0x6bfe100, ftLastWriteTime.dwHighDateTime=0x1d5ee6a, nFileSizeHigh=0x0, nFileSizeLow=0x1050a, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="wLLzK5nqw3zY1UryfjN.xlsx", cAlternateFileName="WLLZK5~1.XLS")) returned 1 [0287.651] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2=".") returned 1 [0287.651] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="..") returned 1 [0287.651] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="...") returned 1 [0287.651] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="windows") returned 1 [0287.651] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0287.651] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="rsa") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="NTDETECT.COM") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="ntldr") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="MSDOS.SYS") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="IO.SYS") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="boot.ini") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="ntuser.dat") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="desktop.ini") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="CONFIG.SYS") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="RECYCLER") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="bootmgr") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="programdata") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="appdata") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="program files") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="program files (x86)") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="microsoft") returned 1 [0287.652] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="sophos") returned 1 [0287.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28def08 [0287.652] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.652] PathFindExtensionW (pszPath="wLLzK5nqw3zY1UryfjN.xlsx") returned=".xlsx" [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0287.652] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0287.653] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0287.653] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0287.653] lstrcmpiW (lpString1="wLLzK5nqw3zY1UryfjN.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0287.653] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\wLLzK5nqw3zY1UryfjN.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\wllzk5nqw3zy1uryfjn.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.653] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=66826) returned 1 [0287.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.653] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.653] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0287.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.653] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.655] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.656] GetTickCount () returned 0x118801b [0287.656] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0287.656] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0287.656] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1050a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.656] SetLastError (dwErrCode=0x0) [0287.657] WriteFile (in: hFile=0x278, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.657] GetLastError () returned 0x0 [0287.657] GetLastError () returned 0x0 [0287.657] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1060a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.658] WriteFile (in: hFile=0x278, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.658] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1070a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.658] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1c743bd, dwHighDateTime=0x1d5fd73)) [0287.658] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.658] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.658] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.658] GetProcessHeap () returned 0xa10000 [0287.658] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1050a) returned 0xa416b8 [0287.658] GetSystemDefaultLangID () returned 0xa20409 [0287.658] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.658] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x1050a, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x1050a, lpOverlapped=0x0) returned 1 [0287.662] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.662] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x1050a, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x1050a, lpOverlapped=0x0) returned 1 [0287.663] GetProcessHeap () returned 0xa10000 [0287.663] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.663] CloseHandle (hObject=0x278) returned 1 [0287.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0287.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.663] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.663] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d220f8 [0287.663] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\wLLzK5nqw3zY1UryfjN.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\wllzk5nqw3zy1uryfjn.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\wLLzK5nqw3zY1UryfjN.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\wllzk5nqw3zy1uryfjn.xlsx.nefilim")) returned 1 [0287.664] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d220f8 | out: hHeap=0x28d0000) returned 1 [0287.664] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.664] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71419d40, ftCreationTime.dwHighDateTime=0x1d5e2d3, ftLastAccessTime.dwLowDateTime=0xad471d0, ftLastAccessTime.dwHighDateTime=0x1d5ed4c, ftLastWriteTime.dwLowDateTime=0xad471d0, ftLastWriteTime.dwHighDateTime=0x1d5ed4c, nFileSizeHigh=0x0, nFileSizeLow=0x15265, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="YPl5pUmpj2DOl.ots", cAlternateFileName="YPL5PU~1.OTS")) returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2=".") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="..") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="...") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="windows") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="$RECYCLE.BIN") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="rsa") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="NTDETECT.COM") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="ntldr") returned 1 [0287.664] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="MSDOS.SYS") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="IO.SYS") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="boot.ini") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="AUTOEXEC.BAT") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="ntuser.dat") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="desktop.ini") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="CONFIG.SYS") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="RECYCLER") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="BOOTSECT.BAK") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="bootmgr") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="programdata") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="appdata") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="program files") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="program files (x86)") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="microsoft") returned 1 [0287.665] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="sophos") returned 1 [0287.665] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0287.665] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def08 | out: hHeap=0x28d0000) returned 1 [0287.665] PathFindExtensionW (pszPath="YPl5pUmpj2DOl.ots") returned=".ots" [0287.665] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".NEFILIM") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0287.666] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0287.666] lstrcmpiW (lpString1="YPl5pUmpj2DOl.ots", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.666] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee70 [0287.666] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\YPl5pUmpj2DOl.ots" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\ypl5pumpj2dol.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0287.666] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=86629) returned 1 [0287.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.667] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.667] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0287.667] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0287.667] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0287.667] GetTickCount () returned 0x118802a [0287.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de930 [0287.667] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de930 | out: hHeap=0x28d0000) returned 1 [0287.667] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15265, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.668] SetLastError (dwErrCode=0x0) [0287.668] WriteFile (in: hFile=0x278, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.668] GetLastError () returned 0x0 [0287.669] GetLastError () returned 0x0 [0287.669] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15365, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.669] WriteFile (in: hFile=0x278, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0287.669] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15465, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.669] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd1c743bd, dwHighDateTime=0x1d5fd73)) [0287.669] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.669] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.669] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0287.669] GetProcessHeap () returned 0xa10000 [0287.669] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x15265) returned 0xa416b8 [0287.669] GetSystemDefaultLangID () returned 0xa20409 [0287.669] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.669] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x15265, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x15265, lpOverlapped=0x0) returned 1 [0287.679] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.679] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x15265, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x15265, lpOverlapped=0x0) returned 1 [0287.680] GetProcessHeap () returned 0xa10000 [0287.680] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0287.680] CloseHandle (hObject=0x278) returned 1 [0287.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0287.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28def18 [0287.680] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\YPl5pUmpj2DOl.ots" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\ypl5pumpj2dol.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\eTZdbxM4K\\YPl5pUmpj2DOl.ots.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\etzdbxm4k\\ypl5pumpj2dol.ots.nefilim")) returned 1 [0287.681] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def18 | out: hHeap=0x28d0000) returned 1 [0287.681] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee70 | out: hHeap=0x28d0000) returned 1 [0287.681] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71419d40, ftCreationTime.dwHighDateTime=0x1d5e2d3, ftLastAccessTime.dwLowDateTime=0xad471d0, ftLastAccessTime.dwHighDateTime=0x1d5ed4c, ftLastWriteTime.dwLowDateTime=0xad471d0, ftLastWriteTime.dwHighDateTime=0x1d5ed4c, nFileSizeHigh=0x0, nFileSizeLow=0x15265, dwReserved0=0x28ded08, dwReserved1=0x4000000, cFileName="YPl5pUmpj2DOl.ots", cAlternateFileName="YPL5PU~1.OTS")) returned 0 [0287.681] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0287.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0287.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedf8 | out: hHeap=0x28d0000) returned 1 [0287.683] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded80 | out: hHeap=0x28d0000) returned 1 [0287.683] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda1be7d0, ftCreationTime.dwHighDateTime=0x1d5e6a2, ftLastAccessTime.dwLowDateTime=0xd435d2d0, ftLastAccessTime.dwHighDateTime=0x1d5e8a6, ftLastWriteTime.dwLowDateTime=0xd435d2d0, ftLastWriteTime.dwHighDateTime=0x1d5e8a6, nFileSizeHigh=0x0, nFileSizeLow=0x17c58, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="pmz Z.xls", cAlternateFileName="PMZZ~1.XLS")) returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2=".") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="..") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="...") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="windows") returned -1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="$RECYCLE.BIN") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="rsa") returned -1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="NTDETECT.COM") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="ntldr") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="MSDOS.SYS") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="IO.SYS") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="boot.ini") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="AUTOEXEC.BAT") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="ntuser.dat") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="desktop.ini") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="CONFIG.SYS") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="RECYCLER") returned -1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="BOOTSECT.BAK") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="bootmgr") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="programdata") returned -1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="appdata") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="program files") returned -1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="program files (x86)") returned -1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="microsoft") returned 1 [0287.683] lstrcmpiW (lpString1="pmz Z.xls", lpString2="sophos") returned -1 [0287.684] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded80 [0287.684] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.684] PathFindExtensionW (pszPath="pmz Z.xls") returned=".xls" [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0287.684] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0287.684] lstrcmpiW (lpString1="pmz Z.xls", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.684] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded08 [0287.684] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\pmz Z.xls" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\pmz z.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.685] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=97368) returned 1 [0287.685] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.685] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0287.685] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.685] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0287.685] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.685] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0287.685] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.687] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.687] GetTickCount () returned 0x118803a [0287.687] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0287.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0287.687] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17c58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.687] SetLastError (dwErrCode=0x0) [0287.687] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.688] GetLastError () returned 0x0 [0287.688] GetLastError () returned 0x0 [0287.688] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17d58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.688] WriteFile (in: hFile=0x274, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.688] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17e58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.688] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1cc089d, dwHighDateTime=0x1d5fd73)) [0287.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.688] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.688] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.689] GetProcessHeap () returned 0xa10000 [0287.689] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x17c58) returned 0xa406b0 [0287.689] GetSystemDefaultLangID () returned 0xa20409 [0287.689] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.689] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x17c58, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x17c58, lpOverlapped=0x0) returned 1 [0287.694] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.694] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x17c58, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x17c58, lpOverlapped=0x0) returned 1 [0287.695] GetProcessHeap () returned 0xa10000 [0287.695] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.695] CloseHandle (hObject=0x274) returned 1 [0287.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0287.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.695] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0287.695] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dedf8 [0287.695] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\pmz Z.xls" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\pmz z.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\pmz Z.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\pmz z.xls.nefilim")) returned 1 [0287.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedf8 | out: hHeap=0x28d0000) returned 1 [0287.696] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.696] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe00e8130, ftCreationTime.dwHighDateTime=0x1d5e3f4, ftLastAccessTime.dwLowDateTime=0xe0d65fa0, ftLastAccessTime.dwHighDateTime=0x1d5e234, ftLastWriteTime.dwLowDateTime=0xe0d65fa0, ftLastWriteTime.dwHighDateTime=0x1d5e234, nFileSizeHigh=0x0, nFileSizeLow=0xb632, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="QlRxQ3OT.rtf", cAlternateFileName="")) returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2=".") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="..") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="...") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="windows") returned -1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="$RECYCLE.BIN") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="rsa") returned -1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="NTDETECT.COM") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="ntldr") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="MSDOS.SYS") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="IO.SYS") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="boot.ini") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="ntuser.dat") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="desktop.ini") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="CONFIG.SYS") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="RECYCLER") returned -1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="BOOTSECT.BAK") returned 1 [0287.696] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="bootmgr") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="programdata") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="appdata") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="program files") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="program files (x86)") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="microsoft") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="sophos") returned -1 [0287.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dedf8 [0287.697] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded80 | out: hHeap=0x28d0000) returned 1 [0287.697] PathFindExtensionW (pszPath="QlRxQ3OT.rtf") returned=".rtf" [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0287.697] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0287.697] lstrcmpiW (lpString1="QlRxQ3OT.rtf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded08 [0287.697] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\QlRxQ3OT.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\qlrxq3ot.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.698] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=46642) returned 1 [0287.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.698] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.698] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.698] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0287.698] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.699] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.701] GetTickCount () returned 0x1188049 [0287.701] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0287.701] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0287.701] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb632, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.702] SetLastError (dwErrCode=0x0) [0287.702] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.703] GetLastError () returned 0x0 [0287.703] GetLastError () returned 0x0 [0287.703] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb732, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.703] WriteFile (in: hFile=0x274, lpBuffer=0x2d21b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21b40*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.703] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb832, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.703] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1cc089d, dwHighDateTime=0x1d5fd73)) [0287.703] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.703] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.703] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.703] GetProcessHeap () returned 0xa10000 [0287.703] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xb632) returned 0xa406b0 [0287.703] GetSystemDefaultLangID () returned 0xa20409 [0287.703] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.703] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0xb632, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0xb632, lpOverlapped=0x0) returned 1 [0287.706] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.707] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0xb632, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0xb632, lpOverlapped=0x0) returned 1 [0287.707] GetProcessHeap () returned 0xa10000 [0287.707] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.707] CloseHandle (hObject=0x274) returned 1 [0287.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21b40 | out: hHeap=0x28d0000) returned 1 [0287.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.707] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee80 [0287.707] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\QlRxQ3OT.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\qlrxq3ot.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\QlRxQ3OT.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\qlrxq3ot.rtf.nefilim")) returned 1 [0287.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee80 | out: hHeap=0x28d0000) returned 1 [0287.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.708] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc268600, ftCreationTime.dwHighDateTime=0x1d5ea3f, ftLastAccessTime.dwLowDateTime=0xbdd4a430, ftLastAccessTime.dwHighDateTime=0x1d5e50e, ftLastWriteTime.dwLowDateTime=0xbdd4a430, ftLastWriteTime.dwHighDateTime=0x1d5e50e, nFileSizeHigh=0x0, nFileSizeLow=0x55cf, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="Qwo0PNx.xls", cAlternateFileName="")) returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2=".") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="..") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="...") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="windows") returned -1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="$RECYCLE.BIN") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="rsa") returned -1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="NTDETECT.COM") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="ntldr") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="MSDOS.SYS") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="IO.SYS") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="boot.ini") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="AUTOEXEC.BAT") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="ntuser.dat") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="desktop.ini") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="CONFIG.SYS") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="RECYCLER") returned -1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="BOOTSECT.BAK") returned 1 [0287.708] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="bootmgr") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="programdata") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="appdata") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="program files") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="program files (x86)") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="microsoft") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="sophos") returned -1 [0287.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded08 [0287.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedf8 | out: hHeap=0x28d0000) returned 1 [0287.709] PathFindExtensionW (pszPath="Qwo0PNx.xls") returned=".xls" [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0287.709] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0287.709] lstrcmpiW (lpString1="Qwo0PNx.xls", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.709] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded90 [0287.709] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\Qwo0PNx.xls" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\qwo0pnx.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.710] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=21967) returned 1 [0287.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.710] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.710] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.710] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.710] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.710] GetTickCount () returned 0x1188059 [0287.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb28 [0287.710] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb28 | out: hHeap=0x28d0000) returned 1 [0287.710] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x55cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.711] SetLastError (dwErrCode=0x0) [0287.711] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.712] GetLastError () returned 0x0 [0287.712] GetLastError () returned 0x0 [0287.712] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x56cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.712] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.712] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x57cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.712] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1ce6aa6, dwHighDateTime=0x1d5fd73)) [0287.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.712] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.712] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.712] GetProcessHeap () returned 0xa10000 [0287.712] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x55cf) returned 0xa406b0 [0287.712] GetSystemDefaultLangID () returned 0xa20409 [0287.712] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.712] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x55cf, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x55cf, lpOverlapped=0x0) returned 1 [0287.714] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.714] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x55cf, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x55cf, lpOverlapped=0x0) returned 1 [0287.714] GetProcessHeap () returned 0xa10000 [0287.714] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.715] CloseHandle (hObject=0x274) returned 1 [0287.715] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.716] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee18 [0287.716] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\Qwo0PNx.xls" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\qwo0pnx.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\Qwo0PNx.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\qwo0pnx.xls.nefilim")) returned 1 [0287.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee18 | out: hHeap=0x28d0000) returned 1 [0287.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded90 | out: hHeap=0x28d0000) returned 1 [0287.716] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7402a570, ftCreationTime.dwHighDateTime=0x1d5eb4c, ftLastAccessTime.dwLowDateTime=0x79ba2cf0, ftLastAccessTime.dwHighDateTime=0x1d5e501, ftLastWriteTime.dwLowDateTime=0x79ba2cf0, ftLastWriteTime.dwHighDateTime=0x1d5e501, nFileSizeHigh=0x0, nFileSizeLow=0x97d3, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="TEq3H.ppt", cAlternateFileName="")) returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2=".") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="..") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="...") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="windows") returned -1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="$RECYCLE.BIN") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="rsa") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="NTDETECT.COM") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="ntldr") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="MSDOS.SYS") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="IO.SYS") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="boot.ini") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="AUTOEXEC.BAT") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="ntuser.dat") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="desktop.ini") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="CONFIG.SYS") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="RECYCLER") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="BOOTSECT.BAK") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="bootmgr") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="programdata") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="appdata") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="program files") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="program files (x86)") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="microsoft") returned 1 [0287.717] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="sophos") returned 1 [0287.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded90 [0287.717] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.718] PathFindExtensionW (pszPath="TEq3H.ppt") returned=".ppt" [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0287.718] lstrcmpiW (lpString1="TEq3H.ppt", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded08 [0287.718] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\TEq3H.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\teq3h.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.718] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=38867) returned 1 [0287.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0287.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.718] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0287.719] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.719] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0287.719] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.719] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.814] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.816] GetTickCount () returned 0x11880c6 [0287.816] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf0 [0287.816] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf0 | out: hHeap=0x28d0000) returned 1 [0287.816] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x97d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.816] SetLastError (dwErrCode=0x0) [0287.816] WriteFile (in: hFile=0x274, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.817] GetLastError () returned 0x0 [0287.817] GetLastError () returned 0x0 [0287.817] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x98d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.817] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.817] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x99d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.817] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1df1af6, dwHighDateTime=0x1d5fd73)) [0287.817] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.817] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.818] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.818] GetProcessHeap () returned 0xa10000 [0287.818] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x97d3) returned 0xa406b0 [0287.819] GetSystemDefaultLangID () returned 0xa20409 [0287.819] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.819] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x97d3, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x97d3, lpOverlapped=0x0) returned 1 [0287.822] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.822] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x97d3, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x97d3, lpOverlapped=0x0) returned 1 [0287.822] GetProcessHeap () returned 0xa10000 [0287.822] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.822] CloseHandle (hObject=0x274) returned 1 [0287.822] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0287.822] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.822] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0287.822] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.822] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dee08 [0287.822] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\TEq3H.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\teq3h.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\TEq3H.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\teq3h.ppt.nefilim")) returned 1 [0287.823] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee08 | out: hHeap=0x28d0000) returned 1 [0287.823] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.823] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd62e0ab0, ftCreationTime.dwHighDateTime=0x1d5e5c4, ftLastAccessTime.dwLowDateTime=0xa28a25d0, ftLastAccessTime.dwHighDateTime=0x1d5ea7a, ftLastWriteTime.dwLowDateTime=0xa28a25d0, ftLastWriteTime.dwHighDateTime=0x1d5ea7a, nFileSizeHigh=0x0, nFileSizeLow=0xbead, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="UwRf.rtf", cAlternateFileName="")) returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2=".") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="..") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="...") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="windows") returned -1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="$RECYCLE.BIN") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="rsa") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="NTDETECT.COM") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="ntldr") returned 1 [0287.823] lstrcmpiW (lpString1="UwRf.rtf", lpString2="MSDOS.SYS") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="IO.SYS") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="boot.ini") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="ntuser.dat") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="desktop.ini") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="CONFIG.SYS") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="RECYCLER") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="BOOTSECT.BAK") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="bootmgr") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="programdata") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="appdata") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="program files") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="program files (x86)") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="microsoft") returned 1 [0287.824] lstrcmpiW (lpString1="UwRf.rtf", lpString2="sophos") returned 1 [0287.824] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded08 [0287.824] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded90 | out: hHeap=0x28d0000) returned 1 [0287.824] PathFindExtensionW (pszPath="UwRf.rtf") returned=".rtf" [0287.824] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0287.824] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0287.824] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0287.824] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0287.824] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0287.824] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0287.825] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0287.825] lstrcmpiW (lpString1="UwRf.rtf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.825] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28ded80 [0287.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\UwRf.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\uwrf.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.825] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=48813) returned 1 [0287.825] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.825] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.825] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.826] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.826] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0287.826] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.826] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.826] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.826] GetTickCount () returned 0x11880c6 [0287.826] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea80 [0287.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea80 | out: hHeap=0x28d0000) returned 1 [0287.827] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbead, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.827] SetLastError (dwErrCode=0x0) [0287.827] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.828] GetLastError () returned 0x0 [0287.828] GetLastError () returned 0x0 [0287.828] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbfad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.828] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.828] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc0ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.828] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1e8a4e8, dwHighDateTime=0x1d5fd73)) [0287.876] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.876] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.876] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.876] GetProcessHeap () returned 0xa10000 [0287.876] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xbead) returned 0xa406b0 [0287.876] GetSystemDefaultLangID () returned 0xa20409 [0287.876] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.876] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0xbead, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0xbead, lpOverlapped=0x0) returned 1 [0287.879] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.879] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0xbead, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0xbead, lpOverlapped=0x0) returned 1 [0287.879] GetProcessHeap () returned 0xa10000 [0287.879] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.879] CloseHandle (hObject=0x274) returned 1 [0287.879] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0287.879] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.879] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.879] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dedf8 [0287.879] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\UwRf.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\uwrf.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\UwRf.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\uwrf.rtf.nefilim")) returned 1 [0287.880] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedf8 | out: hHeap=0x28d0000) returned 1 [0287.880] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded80 | out: hHeap=0x28d0000) returned 1 [0287.880] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8d42e50, ftCreationTime.dwHighDateTime=0x1d5e72c, ftLastAccessTime.dwLowDateTime=0xd935b150, ftLastAccessTime.dwHighDateTime=0x1d5eae6, ftLastWriteTime.dwLowDateTime=0xd935b150, ftLastWriteTime.dwHighDateTime=0x1d5eae6, nFileSizeHigh=0x0, nFileSizeLow=0x1016c, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="wIlb-o.docx", cAlternateFileName="WILB-O~1.DOC")) returned 1 [0287.880] lstrcmpiW (lpString1="wIlb-o.docx", lpString2=".") returned 1 [0287.880] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="..") returned 1 [0287.880] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="...") returned 1 [0287.880] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="windows") returned -1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="$RECYCLE.BIN") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="rsa") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="NTDETECT.COM") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="ntldr") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="MSDOS.SYS") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="IO.SYS") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="boot.ini") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="AUTOEXEC.BAT") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="ntuser.dat") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="desktop.ini") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="CONFIG.SYS") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="RECYCLER") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="BOOTSECT.BAK") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="bootmgr") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="programdata") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="appdata") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="program files") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="program files (x86)") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="microsoft") returned 1 [0287.881] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="sophos") returned 1 [0287.881] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded80 [0287.881] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0287.881] PathFindExtensionW (pszPath="wIlb-o.docx") returned=".docx" [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0287.881] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0287.882] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0287.882] lstrcmpiW (lpString1="wIlb-o.docx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dee08 [0287.882] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\wIlb-o.docx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\wilb-o.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.882] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=65900) returned 1 [0287.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0287.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0287.882] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0287.882] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0287.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0287.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.882] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.883] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.883] GetTickCount () returned 0x1188105 [0287.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0287.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0287.883] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1016c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.883] SetLastError (dwErrCode=0x0) [0287.883] WriteFile (in: hFile=0x274, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.884] GetLastError () returned 0x0 [0287.884] GetLastError () returned 0x0 [0287.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1026c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.884] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1036c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.884] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1e8a4e8, dwHighDateTime=0x1d5fd73)) [0287.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.884] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.884] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.884] GetProcessHeap () returned 0xa10000 [0287.884] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1016c) returned 0xa406b0 [0287.884] GetSystemDefaultLangID () returned 0xa20409 [0287.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.885] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x1016c, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x1016c, lpOverlapped=0x0) returned 1 [0287.888] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.888] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x1016c, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x1016c, lpOverlapped=0x0) returned 1 [0287.888] GetProcessHeap () returned 0xa10000 [0287.888] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.888] CloseHandle (hObject=0x274) returned 1 [0287.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0287.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0287.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0287.889] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee90 [0287.889] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\wIlb-o.docx" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\wilb-o.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\wIlb-o.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\wilb-o.docx.nefilim")) returned 1 [0287.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee90 | out: hHeap=0x28d0000) returned 1 [0287.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee08 | out: hHeap=0x28d0000) returned 1 [0287.889] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22358b60, ftCreationTime.dwHighDateTime=0x1d5e2da, ftLastAccessTime.dwLowDateTime=0x89e6cff0, ftLastAccessTime.dwHighDateTime=0x1d5eea4, ftLastWriteTime.dwLowDateTime=0x89e6cff0, ftLastWriteTime.dwHighDateTime=0x1d5eea4, nFileSizeHigh=0x0, nFileSizeLow=0x162b9, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="Yw1WZKZdPl3VdMgT_.odp", cAlternateFileName="YW1WZK~1.ODP")) returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2=".") returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="..") returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="...") returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="windows") returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="$RECYCLE.BIN") returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="rsa") returned 1 [0287.889] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="NTDETECT.COM") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="ntldr") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="MSDOS.SYS") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="IO.SYS") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="boot.ini") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="AUTOEXEC.BAT") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="ntuser.dat") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="desktop.ini") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="CONFIG.SYS") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="RECYCLER") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="BOOTSECT.BAK") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="bootmgr") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="programdata") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="appdata") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="program files") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="program files (x86)") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="microsoft") returned 1 [0287.890] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="sophos") returned 1 [0287.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee08 [0287.890] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded80 | out: hHeap=0x28d0000) returned 1 [0287.890] PathFindExtensionW (pszPath="Yw1WZKZdPl3VdMgT_.odp") returned=".odp" [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0287.890] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0287.891] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0287.891] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0287.891] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0287.891] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0287.891] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0287.891] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0287.891] lstrcmpiW (lpString1="Yw1WZKZdPl3VdMgT_.odp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0287.891] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded08 [0287.891] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\Yw1WZKZdPl3VdMgT_.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\yw1wzkzdpl3vdmgt_.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0287.938] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=90809) returned 1 [0287.939] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0287.939] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0287.939] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0287.939] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0287.939] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0287.939] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0287.939] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0287.941] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0287.944] GetTickCount () returned 0x1188143 [0287.944] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0287.944] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0287.944] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x162b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.944] SetLastError (dwErrCode=0x0) [0287.944] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.945] GetLastError () returned 0x0 [0287.945] GetLastError () returned 0x0 [0287.945] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x163b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.945] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0287.945] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x164b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.945] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd1f22e19, dwHighDateTime=0x1d5fd73)) [0287.945] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe00 [0287.945] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0287.946] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0287.946] GetProcessHeap () returned 0xa10000 [0287.946] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x162b9) returned 0xa406b0 [0287.946] GetSystemDefaultLangID () returned 0xa20409 [0287.946] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.946] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x162b9, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x162b9, lpOverlapped=0x0) returned 1 [0287.952] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0287.952] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x162b9, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x162b9, lpOverlapped=0x0) returned 1 [0287.952] GetProcessHeap () returned 0xa10000 [0287.952] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0287.952] CloseHandle (hObject=0x274) returned 1 [0287.952] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0287.952] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0287.952] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0287.952] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0287.953] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28deea0 [0287.953] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\Yw1WZKZdPl3VdMgT_.odp" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\yw1wzkzdpl3vdmgt_.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\VZmu9qCRRT5RN\\_Tu_\\Yw1WZKZdPl3VdMgT_.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\vzmu9qcrrt5rn\\_tu_\\yw1wzkzdpl3vdmgt_.odp.nefilim")) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deea0 | out: hHeap=0x28d0000) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded08 | out: hHeap=0x28d0000) returned 1 [0288.011] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22358b60, ftCreationTime.dwHighDateTime=0x1d5e2da, ftLastAccessTime.dwLowDateTime=0x89e6cff0, ftLastAccessTime.dwHighDateTime=0x1d5eea4, ftLastWriteTime.dwLowDateTime=0x89e6cff0, ftLastWriteTime.dwHighDateTime=0x1d5eea4, nFileSizeHigh=0x0, nFileSizeLow=0x162b9, dwReserved0=0x28de788, dwReserved1=0x3000000, cFileName="Yw1WZKZdPl3VdMgT_.odp", cAlternateFileName="YW1WZK~1.ODP")) returned 0 [0288.011] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee08 | out: hHeap=0x28d0000) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f0 | out: hHeap=0x28d0000) returned 1 [0288.011] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7793d130, ftCreationTime.dwHighDateTime=0x1d5efdb, ftLastAccessTime.dwLowDateTime=0xd5079350, ftLastAccessTime.dwHighDateTime=0x1d5ec2b, ftLastWriteTime.dwLowDateTime=0xd5079350, ftLastWriteTime.dwHighDateTime=0x1d5ec2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbdf0, dwReserved1=0x18000119, cFileName="_Tu_", cAlternateFileName="")) returned 0 [0288.011] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0288.011] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4738d90, ftCreationTime.dwHighDateTime=0x1d5e6f7, ftLastAccessTime.dwLowDateTime=0xe442f3c0, ftLastAccessTime.dwHighDateTime=0x1d5e931, ftLastWriteTime.dwLowDateTime=0xe442f3c0, ftLastWriteTime.dwHighDateTime=0x1d5e931, nFileSizeHigh=0x0, nFileSizeLow=0x10df9, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="ZH8Bf.xls", cAlternateFileName="")) returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2=".") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="..") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="...") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="windows") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="$RECYCLE.BIN") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="rsa") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="NTDETECT.COM") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="ntldr") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="MSDOS.SYS") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="IO.SYS") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="boot.ini") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="AUTOEXEC.BAT") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="ntuser.dat") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="desktop.ini") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="CONFIG.SYS") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="RECYCLER") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="BOOTSECT.BAK") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="bootmgr") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="programdata") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="appdata") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="program files") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="program files (x86)") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="microsoft") returned 1 [0288.012] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="sophos") returned 1 [0288.012] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd98 [0288.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0288.012] PathFindExtensionW (pszPath="ZH8Bf.xls") returned=".xls" [0288.012] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0288.012] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0288.012] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0288.013] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0288.013] lstrcmpiW (lpString1="ZH8Bf.xls", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdf0 [0288.013] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\ZH8Bf.xls" (normalized: "c:\\users\\fd1hvy\\documents\\zh8bf.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0288.013] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=69113) returned 1 [0288.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0288.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.013] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0288.013] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0288.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0288.014] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26eec08*=0x100) returned 1 [0288.014] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eec04*=0x100) returned 1 [0288.014] GetTickCount () returned 0x1188182 [0288.014] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea48 [0288.014] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea48 | out: hHeap=0x28d0000) returned 1 [0288.014] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10df9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.014] SetLastError (dwErrCode=0x0) [0288.014] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.015] GetLastError () returned 0x0 [0288.015] GetLastError () returned 0x0 [0288.015] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10ef9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.015] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.015] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10ff9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.015] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1fbb6d3, dwHighDateTime=0x1d5fd73)) [0288.015] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe48 [0288.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0288.016] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0288.016] GetProcessHeap () returned 0xa10000 [0288.016] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x10df9) returned 0xa3e6a0 [0288.016] GetSystemDefaultLangID () returned 0xa20409 [0288.016] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.016] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x10df9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x10df9, lpOverlapped=0x0) returned 1 [0288.020] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.020] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x10df9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x10df9, lpOverlapped=0x0) returned 1 [0288.020] GetProcessHeap () returned 0xa10000 [0288.020] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0288.020] CloseHandle (hObject=0x26c) returned 1 [0288.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0288.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0288.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0288.020] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.020] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe48 [0288.020] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\ZH8Bf.xls" (normalized: "c:\\users\\fd1hvy\\documents\\zh8bf.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\ZH8Bf.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\zh8bf.xls.nefilim")) returned 1 [0288.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe48 | out: hHeap=0x28d0000) returned 1 [0288.021] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0288.021] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66cdafd0, ftCreationTime.dwHighDateTime=0x1d5b8f2, ftLastAccessTime.dwLowDateTime=0x9ab3460, ftLastAccessTime.dwHighDateTime=0x1d5ee5a, ftLastWriteTime.dwLowDateTime=0x9ab3460, ftLastWriteTime.dwHighDateTime=0x1d5ee5a, nFileSizeHigh=0x0, nFileSizeLow=0xb748, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="ZnghIWDXphjRGo.xlsx", cAlternateFileName="ZNGHIW~1.XLS")) returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2=".") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="..") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="...") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="windows") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="rsa") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="NTDETECT.COM") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="ntldr") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="MSDOS.SYS") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="IO.SYS") returned 1 [0288.021] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="boot.ini") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="ntuser.dat") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="desktop.ini") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="CONFIG.SYS") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="RECYCLER") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="bootmgr") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="programdata") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="appdata") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="program files") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="program files (x86)") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="microsoft") returned 1 [0288.022] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="sophos") returned 1 [0288.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf0 [0288.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0288.022] PathFindExtensionW (pszPath="ZnghIWDXphjRGo.xlsx") returned=".xlsx" [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0288.022] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0288.023] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0288.023] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0288.023] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0288.023] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0288.023] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0288.023] lstrcmpiW (lpString1="ZnghIWDXphjRGo.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe58 [0288.023] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\ZnghIWDXphjRGo.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\znghiwdxphjrgo.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0288.023] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=46920) returned 1 [0288.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.023] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.023] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.023] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0288.023] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0288.025] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0288.027] GetTickCount () returned 0x1188192 [0288.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb28 [0288.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb28 | out: hHeap=0x28d0000) returned 1 [0288.027] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xb748, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.027] SetLastError (dwErrCode=0x0) [0288.027] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.028] GetLastError () returned 0x0 [0288.028] GetLastError () returned 0x0 [0288.028] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xb848, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.028] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.028] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xb948, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.028] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd1fe4e2b, dwHighDateTime=0x1d5fd73)) [0288.028] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbec0 [0288.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec0 | out: hHeap=0x28d0000) returned 1 [0288.028] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0288.028] GetProcessHeap () returned 0xa10000 [0288.028] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xb748) returned 0xa3e6a0 [0288.029] GetSystemDefaultLangID () returned 0xa20409 [0288.029] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.029] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xb748, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xb748, lpOverlapped=0x0) returned 1 [0288.031] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.031] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xb748, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xb748, lpOverlapped=0x0) returned 1 [0288.032] GetProcessHeap () returned 0xa10000 [0288.032] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0288.032] CloseHandle (hObject=0x26c) returned 1 [0288.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0288.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.032] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0288.032] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0288.032] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\ZnghIWDXphjRGo.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\znghiwdxphjrgo.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\ZnghIWDXphjRGo.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\znghiwdxphjrgo.xlsx.nefilim")) returned 1 [0288.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0288.033] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96740230, ftCreationTime.dwHighDateTime=0x1d5cfd0, ftLastAccessTime.dwLowDateTime=0x3d598b70, ftLastAccessTime.dwHighDateTime=0x1d596a0, ftLastWriteTime.dwLowDateTime=0x3d598b70, ftLastWriteTime.dwHighDateTime=0x1d596a0, nFileSizeHigh=0x0, nFileSizeLow=0x16969, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="_s4zypFTp1LVb1M3.xlsx", cAlternateFileName="_S4ZYP~1.XLS")) returned 1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2=".") returned 1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="..") returned 1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="...") returned 1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="windows") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="rsa") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="NTDETECT.COM") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="ntldr") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="MSDOS.SYS") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="IO.SYS") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="boot.ini") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="AUTOEXEC.BAT") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="ntuser.dat") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="desktop.ini") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="CONFIG.SYS") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="RECYCLER") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="BOOTSECT.BAK") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="bootmgr") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="programdata") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="appdata") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="program files") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="program files (x86)") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="microsoft") returned -1 [0288.033] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="sophos") returned -1 [0288.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe58 [0288.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf0 | out: hHeap=0x28d0000) returned 1 [0288.034] PathFindExtensionW (pszPath="_s4zypFTp1LVb1M3.xlsx") returned=".xlsx" [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0288.034] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0288.034] lstrcmpiW (lpString1="_s4zypFTp1LVb1M3.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0288.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_s4zypFTp1LVb1M3.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\_s4zypftp1lvb1m3.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0288.035] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=92521) returned 1 [0288.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0288.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.035] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0288.035] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.035] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0288.035] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0288.035] GetTickCount () returned 0x11881a1 [0288.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0288.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0288.035] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16969, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.035] SetLastError (dwErrCode=0x0) [0288.035] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.036] GetLastError () returned 0x0 [0288.036] GetLastError () returned 0x0 [0288.036] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16a69, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.036] WriteFile (in: hFile=0x26c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.037] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16b69, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.037] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2007d8e, dwHighDateTime=0x1d5fd73)) [0288.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbec0 [0288.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbec0 | out: hHeap=0x28d0000) returned 1 [0288.037] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0288.037] GetProcessHeap () returned 0xa10000 [0288.037] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16969) returned 0xa3e6a0 [0288.037] GetSystemDefaultLangID () returned 0xa20409 [0288.037] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.037] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x16969, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x16969, lpOverlapped=0x0) returned 1 [0288.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.042] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x16969, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x16969, lpOverlapped=0x0) returned 1 [0288.043] GetProcessHeap () returned 0xa10000 [0288.043] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0288.043] CloseHandle (hObject=0x26c) returned 1 [0288.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0288.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.043] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de720 [0288.043] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\_s4zypFTp1LVb1M3.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\_s4zypftp1lvb1m3.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\_s4zypFTp1LVb1M3.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\_s4zypftp1lvb1m3.xlsx.nefilim")) returned 1 [0288.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0288.044] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96740230, ftCreationTime.dwHighDateTime=0x1d5cfd0, ftLastAccessTime.dwLowDateTime=0x3d598b70, ftLastAccessTime.dwHighDateTime=0x1d596a0, ftLastWriteTime.dwLowDateTime=0x3d598b70, ftLastWriteTime.dwHighDateTime=0x1d596a0, nFileSizeHigh=0x0, nFileSizeLow=0x16969, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="_s4zypFTp1LVb1M3.xlsx", cAlternateFileName="_S4ZYP~1.XLS")) returned 0 [0288.044] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0288.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe58 | out: hHeap=0x28d0000) returned 1 [0288.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd50 | out: hHeap=0x28d0000) returned 1 [0288.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0288.044] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0288.044] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="microsoft") returned -1 [0288.045] lstrcmpiW (lpString1="Downloads", lpString2="sophos") returned -1 [0288.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0288.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0288.045] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0288.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.045] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0288.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.046] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.046] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0288.046] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0288.046] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0288.046] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0288.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.046] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0288.046] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0288.046] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0288.047] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="microsoft") returned -1 [0288.104] lstrcmpiW (lpString1="Favorites", lpString2="sophos") returned -1 [0288.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.104] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0288.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0288.104] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0288.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.105] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0288.105] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.105] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.105] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2=".") returned 1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="..") returned 1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="...") returned 1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="windows") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="$RECYCLE.BIN") returned 1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="rsa") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="NTDETECT.COM") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="ntldr") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="MSDOS.SYS") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="IO.SYS") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="boot.ini") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="AUTOEXEC.BAT") returned 1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="ntuser.dat") returned -1 [0288.105] lstrcmpiW (lpString1="Bing.url", lpString2="desktop.ini") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="CONFIG.SYS") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="RECYCLER") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="BOOTSECT.BAK") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="bootmgr") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="programdata") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="appdata") returned 1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="program files") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="program files (x86)") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="microsoft") returned -1 [0288.106] lstrcmpiW (lpString1="Bing.url", lpString2="sophos") returned -1 [0288.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de840 [0288.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.106] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0288.106] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0288.106] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0288.107] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0288.107] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0288.107] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0288.107] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="Links", cAlternateFileName="")) returned 1 [0288.107] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0288.107] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="microsoft") returned -1 [0288.108] lstrcmpiW (lpString1="Links", lpString2="sophos") returned -1 [0288.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0288.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x5e) returned 0x28dbcc0 [0288.108] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.108] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de840 | out: hHeap=0x28d0000) returned 1 [0288.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0288.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd28 [0288.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd80 [0288.108] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x69000069, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0288.109] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.109] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x69000069, cFileName="..", cAlternateFileName="")) returned 1 [0288.109] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.109] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.109] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x69000069, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0288.109] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0288.110] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0288.110] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0288.110] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0288.110] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x69000069, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0288.110] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0288.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0288.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.110] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="Links", cAlternateFileName="")) returned 0 [0288.110] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0288.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.110] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Links", cAlternateFileName="")) returned 1 [0288.110] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="microsoft") returned -1 [0288.111] lstrcmpiW (lpString1="Links", lpString2="sophos") returned -1 [0288.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0288.112] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf0 [0288.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0288.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.112] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0288.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.112] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0288.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.112] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0288.112] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0288.112] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0288.112] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0288.112] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0288.113] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0288.113] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="...") returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$RECYCLE.BIN") returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="rsa") returned -1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="NTDETECT.COM") returned -1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntldr") returned -1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="MSDOS.SYS") returned -1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="IO.SYS") returned -1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="boot.ini") returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0288.113] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntuser.dat") returned -1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="desktop.ini") returned 1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="CONFIG.SYS") returned 1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="RECYCLER") returned -1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="BOOTSECT.BAK") returned 1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="bootmgr") returned 1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="programdata") returned -1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="appdata") returned 1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files") returned -1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files (x86)") returned -1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="microsoft") returned -1 [0288.114] lstrcmpiW (lpString1="Desktop.lnk", lpString2="sophos") returned -1 [0288.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de768 [0288.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.114] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0288.114] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0288.115] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0288.115] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="...") returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$RECYCLE.BIN") returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="rsa") returned -1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="NTDETECT.COM") returned -1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntldr") returned -1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="MSDOS.SYS") returned -1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="IO.SYS") returned -1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="boot.ini") returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0288.115] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntuser.dat") returned -1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="desktop.ini") returned 1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="CONFIG.SYS") returned 1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="RECYCLER") returned -1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="BOOTSECT.BAK") returned 1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="bootmgr") returned 1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="programdata") returned -1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="appdata") returned 1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files") returned -1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files (x86)") returned -1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="microsoft") returned -1 [0288.116] lstrcmpiW (lpString1="Downloads.lnk", lpString2="sophos") returned -1 [0288.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7c0 [0288.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.116] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0288.116] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0288.117] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0288.117] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2=".") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="..") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="...") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="windows") returned -1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="$RECYCLE.BIN") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="rsa") returned -1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="NTDETECT.COM") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="ntldr") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="MSDOS.SYS") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="IO.SYS") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="boot.ini") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="ntuser.dat") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="desktop.ini") returned 1 [0288.117] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="CONFIG.SYS") returned 1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="RECYCLER") returned -1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="BOOTSECT.BAK") returned 1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="bootmgr") returned 1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="programdata") returned -1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="appdata") returned 1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="program files") returned -1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="program files (x86)") returned -1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="microsoft") returned 1 [0288.118] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="sophos") returned -1 [0288.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de818 [0288.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7c0 | out: hHeap=0x28d0000) returned 1 [0288.118] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0288.118] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0288.119] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0288.119] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0288.119] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0288.119] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0288.119] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0288.119] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0288.119] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0288.119] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0288.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de818 | out: hHeap=0x28d0000) returned 1 [0288.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0288.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf0 | out: hHeap=0x28d0000) returned 1 [0288.119] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2="$RECYCLE.BIN") returned 1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0288.119] lstrcmpiW (lpString1="Local Settings", lpString2="NTDETECT.COM") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="ntldr") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="MSDOS.SYS") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="IO.SYS") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="boot.ini") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="AUTOEXEC.BAT") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="desktop.ini") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="CONFIG.SYS") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="RECYCLER") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="BOOTSECT.BAK") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="microsoft") returned -1 [0288.120] lstrcmpiW (lpString1="Local Settings", lpString2="sophos") returned -1 [0288.120] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.120] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0288.120] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.120] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0288.121] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0288.121] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Local Settings\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ>")) returned 0xffffffff [0288.121] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.121] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.121] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.121] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe746faa1, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe746faa1, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Music", cAlternateFileName="")) returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0288.121] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="microsoft") returned 1 [0288.122] lstrcmpiW (lpString1="Music", lpString2="sophos") returned -1 [0288.122] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf0 [0288.122] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.122] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de968 [0288.122] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a0 [0288.122] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.122] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe746faa1, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe746faa1, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0288.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.123] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe746faa1, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe746faa1, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="..", cAlternateFileName="")) returned 1 [0288.123] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.123] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.123] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0955d80, ftCreationTime.dwHighDateTime=0x1d5ea5b, ftLastAccessTime.dwLowDateTime=0xf58227d0, ftLastAccessTime.dwHighDateTime=0x1d5e5a5, ftLastWriteTime.dwLowDateTime=0xf58227d0, ftLastWriteTime.dwHighDateTime=0x1d5e5a5, nFileSizeHigh=0x0, nFileSizeLow=0xfcc, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="1Cq7ESPO.wav", cAlternateFileName="")) returned 1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2=".") returned 1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="..") returned 1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="...") returned 1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="windows") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="rsa") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="NTDETECT.COM") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="ntldr") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="MSDOS.SYS") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="IO.SYS") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="boot.ini") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="AUTOEXEC.BAT") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="ntuser.dat") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="desktop.ini") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="CONFIG.SYS") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="RECYCLER") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="BOOTSECT.BAK") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="bootmgr") returned -1 [0288.123] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="programdata") returned -1 [0288.124] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="appdata") returned -1 [0288.124] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="program files") returned -1 [0288.124] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="program files (x86)") returned -1 [0288.124] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="microsoft") returned -1 [0288.124] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="sophos") returned -1 [0288.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de768 [0288.124] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.124] PathFindExtensionW (pszPath="1Cq7ESPO.wav") returned=".wav" [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.124] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.125] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.125] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.125] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.125] lstrcmpiW (lpString1="1Cq7ESPO.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7c0 [0288.125] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1Cq7ESPO.wav" (normalized: "c:\\users\\fd1hvy\\music\\1cq7espo.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0288.125] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=4044) returned 1 [0288.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0288.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.188] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0288.188] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0288.188] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0288.189] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26eec04*=0x100) returned 1 [0288.189] GetTickCount () returned 0x118823d [0288.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea10 [0288.189] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea10 | out: hHeap=0x28d0000) returned 1 [0288.189] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xfcc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.189] SetLastError (dwErrCode=0x0) [0288.189] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.190] GetLastError () returned 0x0 [0288.190] GetLastError () returned 0x0 [0288.190] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.190] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.190] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.190] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd218539e, dwHighDateTime=0x1d5fd73)) [0288.191] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.191] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0288.191] GetProcessHeap () returned 0xa10000 [0288.191] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xfcc) returned 0xa3e6a0 [0288.191] GetSystemDefaultLangID () returned 0xa20409 [0288.191] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.191] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xfcc, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xfcc, lpOverlapped=0x0) returned 1 [0288.191] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.191] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xfcc, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xfcc, lpOverlapped=0x0) returned 1 [0288.191] GetProcessHeap () returned 0xa10000 [0288.191] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0288.191] CloseHandle (hObject=0x26c) returned 1 [0288.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0288.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0288.192] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.192] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de818 [0288.192] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1Cq7ESPO.wav" (normalized: "c:\\users\\fd1hvy\\music\\1cq7espo.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1Cq7ESPO.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1cq7espo.wav.nefilim")) returned 1 [0288.195] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de818 | out: hHeap=0x28d0000) returned 1 [0288.195] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7c0 | out: hHeap=0x28d0000) returned 1 [0288.195] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d596d40, ftCreationTime.dwHighDateTime=0x1d5ecea, ftLastAccessTime.dwLowDateTime=0xc896c0e0, ftLastAccessTime.dwHighDateTime=0x1d5eb7d, ftLastWriteTime.dwLowDateTime=0xc896c0e0, ftLastWriteTime.dwHighDateTime=0x1d5eb7d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="1J7ClV2R", cAlternateFileName="")) returned 1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2=".") returned 1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2="..") returned 1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2="...") returned 1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2="windows") returned -1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2="$RECYCLE.BIN") returned 1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2="rsa") returned -1 [0288.195] lstrcmpiW (lpString1="1J7ClV2R", lpString2="NTDETECT.COM") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="ntldr") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="MSDOS.SYS") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="IO.SYS") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="boot.ini") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="AUTOEXEC.BAT") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="ntuser.dat") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="desktop.ini") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="CONFIG.SYS") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="RECYCLER") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="BOOTSECT.BAK") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="bootmgr") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="programdata") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="appdata") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="program files") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="program files (x86)") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="microsoft") returned -1 [0288.196] lstrcmpiW (lpString1="1J7ClV2R", lpString2="sophos") returned -1 [0288.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.196] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0288.196] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0288.196] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d596d40, ftCreationTime.dwHighDateTime=0x1d5ecea, ftLastAccessTime.dwLowDateTime=0xc896c0e0, ftLastAccessTime.dwHighDateTime=0x1d5eb7d, ftLastWriteTime.dwLowDateTime=0xc896c0e0, ftLastWriteTime.dwHighDateTime=0x1d5eb7d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0288.197] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.197] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d596d40, ftCreationTime.dwHighDateTime=0x1d5ecea, ftLastAccessTime.dwLowDateTime=0xc896c0e0, ftLastAccessTime.dwHighDateTime=0x1d5eb7d, ftLastWriteTime.dwLowDateTime=0xc896c0e0, ftLastWriteTime.dwHighDateTime=0x1d5eb7d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="..", cAlternateFileName="")) returned 1 [0288.197] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.197] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.197] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa4d1530, ftCreationTime.dwHighDateTime=0x1d5ed2b, ftLastAccessTime.dwLowDateTime=0xb6aecf20, ftLastAccessTime.dwHighDateTime=0x1d5ebe7, ftLastWriteTime.dwLowDateTime=0xb6aecf20, ftLastWriteTime.dwHighDateTime=0x1d5ebe7, nFileSizeHigh=0x0, nFileSizeLow=0x4ee2, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="4n0Esw.wav", cAlternateFileName="")) returned 1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2=".") returned 1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="..") returned 1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="...") returned 1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="windows") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="rsa") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="NTDETECT.COM") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="ntldr") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="MSDOS.SYS") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="IO.SYS") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="boot.ini") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="AUTOEXEC.BAT") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="ntuser.dat") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="desktop.ini") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="CONFIG.SYS") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="RECYCLER") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="BOOTSECT.BAK") returned -1 [0288.197] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="bootmgr") returned -1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="programdata") returned -1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="appdata") returned -1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="program files") returned -1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="program files (x86)") returned -1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="microsoft") returned -1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="sophos") returned -1 [0288.198] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0288.198] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.198] PathFindExtensionW (pszPath="4n0Esw.wav") returned=".wav" [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.198] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.198] lstrcmpiW (lpString1="4n0Esw.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.198] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0288.199] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\4n0Esw.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\4n0esw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0288.199] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=20194) returned 1 [0288.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.199] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.199] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0288.199] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0288.199] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0288.201] GetTickCount () returned 0x118823d [0288.201] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0288.201] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0288.201] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4ee2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.202] SetLastError (dwErrCode=0x0) [0288.202] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0288.203] GetLastError () returned 0x0 [0288.203] GetLastError () returned 0x0 [0288.203] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4fe2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.203] WriteFile (in: hFile=0x270, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0288.203] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x50e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.203] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd218539e, dwHighDateTime=0x1d5fd73)) [0288.203] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0288.203] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.203] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0288.203] GetProcessHeap () returned 0xa10000 [0288.203] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4ee2) returned 0xa3f6a8 [0288.298] GetSystemDefaultLangID () returned 0xa20409 [0288.299] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.299] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x4ee2, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x4ee2, lpOverlapped=0x0) returned 1 [0288.301] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.301] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x4ee2, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x4ee2, lpOverlapped=0x0) returned 1 [0288.302] GetProcessHeap () returned 0xa10000 [0288.302] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0288.302] CloseHandle (hObject=0x270) returned 1 [0288.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0288.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.303] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0288.303] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\4n0Esw.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\4n0esw.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\4n0Esw.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\4n0esw.wav.nefilim")) returned 1 [0288.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.306] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.306] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x976644a0, ftCreationTime.dwHighDateTime=0x1d5edd0, ftLastAccessTime.dwLowDateTime=0xad23cb60, ftLastAccessTime.dwHighDateTime=0x1d5e703, ftLastWriteTime.dwLowDateTime=0xad23cb60, ftLastWriteTime.dwHighDateTime=0x1d5e703, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="IeHqixTzIN", cAlternateFileName="IEHQIX~1")) returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2=".") returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="..") returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="...") returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="windows") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="$RECYCLE.BIN") returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="rsa") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="NTDETECT.COM") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="ntldr") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="MSDOS.SYS") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="IO.SYS") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="boot.ini") returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="AUTOEXEC.BAT") returned 1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="ntuser.dat") returned -1 [0288.306] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="desktop.ini") returned 1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="CONFIG.SYS") returned 1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="RECYCLER") returned -1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="BOOTSECT.BAK") returned 1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="bootmgr") returned 1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="programdata") returned -1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="appdata") returned 1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="program files") returned -1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="program files (x86)") returned -1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="microsoft") returned -1 [0288.307] lstrcmpiW (lpString1="IeHqixTzIN", lpString2="sophos") returned -1 [0288.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0288.307] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0288.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0288.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd90 [0288.307] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x976644a0, ftCreationTime.dwHighDateTime=0x1d5edd0, ftLastAccessTime.dwLowDateTime=0xad23cb60, ftLastAccessTime.dwHighDateTime=0x1d5e703, ftLastWriteTime.dwLowDateTime=0xad23cb60, ftLastWriteTime.dwHighDateTime=0x1d5e703, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName=".", cAlternateFileName="")) returned 0xa2f360 [0288.308] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.308] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x976644a0, ftCreationTime.dwHighDateTime=0x1d5edd0, ftLastAccessTime.dwLowDateTime=0xad23cb60, ftLastAccessTime.dwHighDateTime=0x1d5e703, ftLastWriteTime.dwLowDateTime=0xad23cb60, ftLastWriteTime.dwHighDateTime=0x1d5e703, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="..", cAlternateFileName="")) returned 1 [0288.308] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.308] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.308] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a878d0, ftCreationTime.dwHighDateTime=0x1d5ec4d, ftLastAccessTime.dwLowDateTime=0x475e9110, ftLastAccessTime.dwHighDateTime=0x1d5f0be, ftLastWriteTime.dwLowDateTime=0x475e9110, ftLastWriteTime.dwHighDateTime=0x1d5f0be, nFileSizeHigh=0x0, nFileSizeLow=0x2f76, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="0Xhfu.mp3", cAlternateFileName="")) returned 1 [0288.308] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2=".") returned 1 [0288.308] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="..") returned 1 [0288.308] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="...") returned 1 [0288.308] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="windows") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="rsa") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="NTDETECT.COM") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="ntldr") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="MSDOS.SYS") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="IO.SYS") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="boot.ini") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="AUTOEXEC.BAT") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="ntuser.dat") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="desktop.ini") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="CONFIG.SYS") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="RECYCLER") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="BOOTSECT.BAK") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="bootmgr") returned -1 [0288.309] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="programdata") returned -1 [0288.310] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="appdata") returned -1 [0288.310] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="program files") returned -1 [0288.310] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="program files (x86)") returned -1 [0288.312] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="microsoft") returned -1 [0288.312] lstrcmpiW (lpString1="0Xhfu.mp3", lpString2="sophos") returned -1 [0288.312] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdf8 [0288.312] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.312] PathFindExtensionW (pszPath="0Xhfu.mp3") returned=".mp3" [0288.313] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.313] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.313] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.313] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.313] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.313] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.314] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.314] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.314] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.314] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.314] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.314] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcca159f0, ftCreationTime.dwHighDateTime=0x1d5e98b, ftLastAccessTime.dwLowDateTime=0x27c9fd70, ftLastAccessTime.dwHighDateTime=0x1d5e214, ftLastWriteTime.dwLowDateTime=0x27c9fd70, ftLastWriteTime.dwHighDateTime=0x1d5e214, nFileSizeHigh=0x0, nFileSizeLow=0x728, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="1O49Ddk.mp3", cAlternateFileName="")) returned 1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2=".") returned 1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="..") returned 1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="...") returned 1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="windows") returned -1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="rsa") returned -1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="NTDETECT.COM") returned -1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="ntldr") returned -1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="MSDOS.SYS") returned -1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="IO.SYS") returned -1 [0288.314] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="boot.ini") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="AUTOEXEC.BAT") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="ntuser.dat") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="desktop.ini") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="CONFIG.SYS") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="RECYCLER") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="BOOTSECT.BAK") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="bootmgr") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="programdata") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="appdata") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="program files") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="program files (x86)") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="microsoft") returned -1 [0288.315] lstrcmpiW (lpString1="1O49Ddk.mp3", lpString2="sophos") returned -1 [0288.315] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0288.315] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0288.315] PathFindExtensionW (pszPath="1O49Ddk.mp3") returned=".mp3" [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.316] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.316] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc635dac0, ftCreationTime.dwHighDateTime=0x1d5f091, ftLastAccessTime.dwLowDateTime=0x36294f40, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0x36294f40, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="7CmHrL5TaYcm", cAlternateFileName="7CMHRL~1")) returned 1 [0288.316] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2=".") returned 1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="..") returned 1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="...") returned 1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="windows") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="$RECYCLE.BIN") returned 1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="rsa") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="NTDETECT.COM") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="ntldr") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="MSDOS.SYS") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="IO.SYS") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="boot.ini") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="AUTOEXEC.BAT") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="ntuser.dat") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="desktop.ini") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="CONFIG.SYS") returned -1 [0288.317] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="RECYCLER") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="BOOTSECT.BAK") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="bootmgr") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="programdata") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="appdata") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="program files") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="program files (x86)") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="microsoft") returned -1 [0288.318] lstrcmpiW (lpString1="7CmHrL5TaYcm", lpString2="sophos") returned -1 [0288.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0288.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0288.318] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe08 [0288.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe80 [0288.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0288.319] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc635dac0, ftCreationTime.dwHighDateTime=0x1d5f091, ftLastAccessTime.dwLowDateTime=0x36294f40, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0x36294f40, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0288.319] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.319] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc635dac0, ftCreationTime.dwHighDateTime=0x1d5f091, ftLastAccessTime.dwLowDateTime=0x36294f40, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0x36294f40, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0288.320] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.320] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9409460, ftCreationTime.dwHighDateTime=0x1d5eee4, ftLastAccessTime.dwLowDateTime=0xffd59670, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0xffd59670, ftLastWriteTime.dwHighDateTime=0x1d5ec0f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nHtFeZLjlJoxRTggY", cAlternateFileName="NHTFEZ~1")) returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2=".") returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="..") returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="...") returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="windows") returned -1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="$RECYCLE.BIN") returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="rsa") returned -1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="NTDETECT.COM") returned -1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="ntldr") returned -1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="MSDOS.SYS") returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="IO.SYS") returned 1 [0288.320] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="boot.ini") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="AUTOEXEC.BAT") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="ntuser.dat") returned -1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="desktop.ini") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="CONFIG.SYS") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="RECYCLER") returned -1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="BOOTSECT.BAK") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="bootmgr") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="programdata") returned -1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="appdata") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="program files") returned -1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="program files (x86)") returned -1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="microsoft") returned 1 [0288.321] lstrcmpiW (lpString1="nHtFeZLjlJoxRTggY", lpString2="sophos") returned -1 [0288.321] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded28 [0288.322] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dedd0 [0288.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee78 [0288.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28def20 [0288.322] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\*.*", lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9409460, ftCreationTime.dwHighDateTime=0x1d5eee4, ftLastAccessTime.dwLowDateTime=0xffd59670, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0xffd59670, ftLastWriteTime.dwHighDateTime=0x1d5ec0f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0288.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.322] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9409460, ftCreationTime.dwHighDateTime=0x1d5eee4, ftLastAccessTime.dwLowDateTime=0xffd59670, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0xffd59670, ftLastWriteTime.dwHighDateTime=0x1d5ec0f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0288.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.323] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe96a78c0, ftCreationTime.dwHighDateTime=0x1d5e150, ftLastAccessTime.dwLowDateTime=0x732d2ec0, ftLastAccessTime.dwHighDateTime=0x1d5e964, ftLastWriteTime.dwLowDateTime=0x732d2ec0, ftLastWriteTime.dwHighDateTime=0x1d5e964, nFileSizeHigh=0x0, nFileSizeLow=0xd49d, dwReserved0=0x0, dwReserved1=0x0, cFileName="7UkH 2JpXERMt7_oT9B.wav", cAlternateFileName="7UKH2J~1.WAV")) returned 1 [0288.323] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2=".") returned 1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="..") returned 1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="...") returned 1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="windows") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="rsa") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="NTDETECT.COM") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="ntldr") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="MSDOS.SYS") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="IO.SYS") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="boot.ini") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="AUTOEXEC.BAT") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="ntuser.dat") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="desktop.ini") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="CONFIG.SYS") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="RECYCLER") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="BOOTSECT.BAK") returned -1 [0288.324] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="bootmgr") returned -1 [0288.325] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="programdata") returned -1 [0288.325] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="appdata") returned -1 [0288.325] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="program files") returned -1 [0288.325] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="program files (x86)") returned -1 [0288.325] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="microsoft") returned -1 [0288.325] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="sophos") returned -1 [0288.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x2d22050 [0288.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def20 | out: hHeap=0x28d0000) returned 1 [0288.325] PathFindExtensionW (pszPath="7UkH 2JpXERMt7_oT9B.wav") returned=".wav" [0288.325] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.325] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.325] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.325] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.326] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.326] lstrcmpiW (lpString1="7UkH 2JpXERMt7_oT9B.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.326] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x2d22128 [0288.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\7UkH 2JpXERMt7_oT9B.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\nhtfezljljoxrtggy\\7ukh 2jpxermt7_ot9b.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.327] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=54429) returned 1 [0288.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.327] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.328] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.328] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.328] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.328] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0288.328] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.331] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.333] GetTickCount () returned 0x11882ba [0288.333] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea80 [0288.333] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea80 | out: hHeap=0x28d0000) returned 1 [0288.333] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xd49d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.333] SetLastError (dwErrCode=0x0) [0288.333] WriteFile (in: hFile=0x27c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.334] GetLastError () returned 0x0 [0288.334] GetLastError () returned 0x0 [0288.334] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xd59d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.334] WriteFile (in: hFile=0x27c, lpBuffer=0x2d21930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d21930*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.334] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xd69d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.335] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd22ebb75, dwHighDateTime=0x1d5fd73)) [0288.335] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28deca0 [0288.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.335] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.335] GetProcessHeap () returned 0xa10000 [0288.336] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd49d) returned 0xa426c0 [0288.336] GetSystemDefaultLangID () returned 0xa20409 [0288.336] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.336] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0xd49d, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0xd49d, lpOverlapped=0x0) returned 1 [0288.341] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.341] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0xd49d, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0xd49d, lpOverlapped=0x0) returned 1 [0288.342] GetProcessHeap () returned 0xa10000 [0288.342] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.342] CloseHandle (hObject=0x27c) returned 1 [0288.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21930 | out: hHeap=0x28d0000) returned 1 [0288.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.342] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0288.342] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x2d22200 [0288.342] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\7UkH 2JpXERMt7_oT9B.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\nhtfezljljoxrtggy\\7ukh 2jpxermt7_ot9b.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\7UkH 2JpXERMt7_oT9B.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\nhtfezljljoxrtggy\\7ukh 2jpxermt7_ot9b.wav.nefilim")) returned 1 [0288.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22200 | out: hHeap=0x28d0000) returned 1 [0288.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22128 | out: hHeap=0x28d0000) returned 1 [0288.343] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa87de0, ftCreationTime.dwHighDateTime=0x1d5ea2d, ftLastAccessTime.dwLowDateTime=0x802db2e0, ftLastAccessTime.dwHighDateTime=0x1d5ecd7, ftLastWriteTime.dwLowDateTime=0x802db2e0, ftLastWriteTime.dwHighDateTime=0x1d5ecd7, nFileSizeHigh=0x0, nFileSizeLow=0xac73, dwReserved0=0x0, dwReserved1=0x0, cFileName="ai7bIskOglrcYw1rE.m4a", cAlternateFileName="AI7BIS~1.M4A")) returned 1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2=".") returned 1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="..") returned 1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="...") returned 1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="windows") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="rsa") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="NTDETECT.COM") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="ntldr") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="MSDOS.SYS") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="IO.SYS") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="boot.ini") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="ntuser.dat") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="desktop.ini") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="CONFIG.SYS") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="RECYCLER") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="BOOTSECT.BAK") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="bootmgr") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="programdata") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="appdata") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="program files") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="program files (x86)") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="microsoft") returned -1 [0288.344] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="sophos") returned -1 [0288.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28def20 [0288.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.345] PathFindExtensionW (pszPath="ai7bIskOglrcYw1rE.m4a") returned=".m4a" [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.345] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.345] lstrcmpiW (lpString1="ai7bIskOglrcYw1rE.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x2d22050 [0288.345] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\ai7bIskOglrcYw1rE.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\nhtfezljljoxrtggy\\ai7biskoglrcyw1re.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.346] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=44147) returned 1 [0288.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0288.346] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.346] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0288.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0288.346] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.346] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.347] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.349] GetTickCount () returned 0x11882da [0288.349] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0288.349] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0288.349] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xac73, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.438] SetLastError (dwErrCode=0x0) [0288.438] WriteFile (in: hFile=0x27c, lpBuffer=0x2d21c48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d21c48*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.440] GetLastError () returned 0x0 [0288.440] GetLastError () returned 0x0 [0288.440] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xad73, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.440] WriteFile (in: hFile=0x27c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.440] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xae73, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.440] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd23e7997, dwHighDateTime=0x1d5fd73)) [0288.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28deca0 [0288.440] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.440] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.440] GetProcessHeap () returned 0xa10000 [0288.440] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xac73) returned 0xa426c0 [0288.442] GetSystemDefaultLangID () returned 0xa20409 [0288.442] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.442] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0xac73, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0xac73, lpOverlapped=0x0) returned 1 [0288.445] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.445] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0xac73, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0xac73, lpOverlapped=0x0) returned 1 [0288.446] GetProcessHeap () returned 0xa10000 [0288.446] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.446] CloseHandle (hObject=0x27c) returned 1 [0288.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21c48 | out: hHeap=0x28d0000) returned 1 [0288.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.446] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0288.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x2d22118 [0288.446] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\ai7bIskOglrcYw1rE.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\nhtfezljljoxrtggy\\ai7biskoglrcyw1re.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\nHtFeZLjlJoxRTggY\\ai7bIskOglrcYw1rE.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\nhtfezljljoxrtggy\\ai7biskoglrcyw1re.m4a.nefilim")) returned 1 [0288.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22118 | out: hHeap=0x28d0000) returned 1 [0288.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.450] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa87de0, ftCreationTime.dwHighDateTime=0x1d5ea2d, ftLastAccessTime.dwLowDateTime=0x802db2e0, ftLastAccessTime.dwHighDateTime=0x1d5ecd7, ftLastWriteTime.dwLowDateTime=0x802db2e0, ftLastWriteTime.dwHighDateTime=0x1d5ecd7, nFileSizeHigh=0x0, nFileSizeLow=0xac73, dwReserved0=0x0, dwReserved1=0x0, cFileName="ai7bIskOglrcYw1rE.m4a", cAlternateFileName="AI7BIS~1.M4A")) returned 0 [0288.450] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0288.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def20 | out: hHeap=0x28d0000) returned 1 [0288.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee78 | out: hHeap=0x28d0000) returned 1 [0288.450] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd0 | out: hHeap=0x28d0000) returned 1 [0288.450] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd0ec730, ftCreationTime.dwHighDateTime=0x1d5e8da, ftLastAccessTime.dwLowDateTime=0x455153d0, ftLastAccessTime.dwHighDateTime=0x1d5f02d, ftLastWriteTime.dwLowDateTime=0x455153d0, ftLastWriteTime.dwHighDateTime=0x1d5f02d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rcx0pc", cAlternateFileName="")) returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2=".") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="..") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="...") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="windows") returned -1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="$RECYCLE.BIN") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="rsa") returned -1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="NTDETECT.COM") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="ntldr") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="MSDOS.SYS") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="IO.SYS") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="boot.ini") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="AUTOEXEC.BAT") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="ntuser.dat") returned 1 [0288.450] lstrcmpiW (lpString1="Rcx0pc", lpString2="desktop.ini") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="CONFIG.SYS") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="RECYCLER") returned -1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="BOOTSECT.BAK") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="bootmgr") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="programdata") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="appdata") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="program files") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="program files (x86)") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="microsoft") returned 1 [0288.451] lstrcmpiW (lpString1="Rcx0pc", lpString2="sophos") returned -1 [0288.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0288.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded28 | out: hHeap=0x28d0000) returned 1 [0288.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded28 [0288.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dedb0 [0288.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee38 [0288.451] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\*.*", lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd0ec730, ftCreationTime.dwHighDateTime=0x1d5e8da, ftLastAccessTime.dwLowDateTime=0x455153d0, ftLastAccessTime.dwHighDateTime=0x1d5f02d, ftLastWriteTime.dwLowDateTime=0x455153d0, ftLastWriteTime.dwHighDateTime=0x1d5f02d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0288.451] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.451] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcd0ec730, ftCreationTime.dwHighDateTime=0x1d5e8da, ftLastAccessTime.dwLowDateTime=0x455153d0, ftLastAccessTime.dwHighDateTime=0x1d5f02d, ftLastWriteTime.dwLowDateTime=0x455153d0, ftLastWriteTime.dwHighDateTime=0x1d5f02d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0288.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.452] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fb0ae10, ftCreationTime.dwHighDateTime=0x1d5e12d, ftLastAccessTime.dwLowDateTime=0xe397f0b0, ftLastAccessTime.dwHighDateTime=0x1d5f016, ftLastWriteTime.dwLowDateTime=0xe397f0b0, ftLastWriteTime.dwHighDateTime=0x1d5f016, nFileSizeHigh=0x0, nFileSizeLow=0x4222, dwReserved0=0x0, dwReserved1=0x0, cFileName="B0_YS1SlMrgmgbls.wav", cAlternateFileName="B0_YS1~1.WAV")) returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2=".") returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="..") returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="...") returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="windows") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="rsa") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="NTDETECT.COM") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="ntldr") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="MSDOS.SYS") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="IO.SYS") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="boot.ini") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="ntuser.dat") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="desktop.ini") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="CONFIG.SYS") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="RECYCLER") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="BOOTSECT.BAK") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="bootmgr") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="programdata") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="appdata") returned 1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="program files") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="program files (x86)") returned -1 [0288.452] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="microsoft") returned -1 [0288.453] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="sophos") returned -1 [0288.453] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28deed0 [0288.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee38 | out: hHeap=0x28d0000) returned 1 [0288.453] PathFindExtensionW (pszPath="B0_YS1SlMrgmgbls.wav") returned=".wav" [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.453] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.454] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.454] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.454] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.454] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.454] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.454] lstrcmpiW (lpString1="B0_YS1SlMrgmgbls.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d22050 [0288.454] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\B0_YS1SlMrgmgbls.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\b0_ys1slmrgmgbls.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.454] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=16930) returned 1 [0288.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0288.455] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.455] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0288.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.455] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.455] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.455] GetTickCount () returned 0x1188347 [0288.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0288.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0288.456] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x4222, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.456] SetLastError (dwErrCode=0x0) [0288.456] WriteFile (in: hFile=0x27c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.457] GetLastError () returned 0x0 [0288.457] GetLastError () returned 0x0 [0288.457] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x4322, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.457] WriteFile (in: hFile=0x27c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.457] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x4422, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.457] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd240dd0c, dwHighDateTime=0x1d5fd73)) [0288.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28def88 [0288.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def88 | out: hHeap=0x28d0000) returned 1 [0288.457] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.457] GetProcessHeap () returned 0xa10000 [0288.457] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4222) returned 0xa426c0 [0288.458] GetSystemDefaultLangID () returned 0xa20409 [0288.458] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.458] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0x4222, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0x4222, lpOverlapped=0x0) returned 1 [0288.459] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.459] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0x4222, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0x4222, lpOverlapped=0x0) returned 1 [0288.459] GetProcessHeap () returned 0xa10000 [0288.459] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.461] CloseHandle (hObject=0x27c) returned 1 [0288.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0288.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x2d22108 [0288.461] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\B0_YS1SlMrgmgbls.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\b0_ys1slmrgmgbls.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\B0_YS1SlMrgmgbls.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\b0_ys1slmrgmgbls.wav.nefilim")) returned 1 [0288.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22108 | out: hHeap=0x28d0000) returned 1 [0288.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.462] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3de6490, ftCreationTime.dwHighDateTime=0x1d5eff3, ftLastAccessTime.dwLowDateTime=0xb3ae5890, ftLastAccessTime.dwHighDateTime=0x1d5ec64, ftLastWriteTime.dwLowDateTime=0xb3ae5890, ftLastWriteTime.dwHighDateTime=0x1d5ec64, nFileSizeHigh=0x0, nFileSizeLow=0x118ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="hhQwaa2_.m4a", cAlternateFileName="")) returned 1 [0288.462] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2=".") returned 1 [0288.462] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="..") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="...") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="windows") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="rsa") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="NTDETECT.COM") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="ntldr") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="MSDOS.SYS") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="IO.SYS") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="boot.ini") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="ntuser.dat") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="desktop.ini") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="CONFIG.SYS") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="RECYCLER") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="bootmgr") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="programdata") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="appdata") returned 1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="program files") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="program files (x86)") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="microsoft") returned -1 [0288.463] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="sophos") returned -1 [0288.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0288.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deed0 | out: hHeap=0x28d0000) returned 1 [0288.463] PathFindExtensionW (pszPath="hhQwaa2_.m4a") returned=".m4a" [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.464] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.464] lstrcmpiW (lpString1="hhQwaa2_.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.464] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee38 [0288.464] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\hhQwaa2_.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\hhqwaa2_.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.465] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=71886) returned 1 [0288.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.465] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.465] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.465] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.467] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.467] GetTickCount () returned 0x1188347 [0288.467] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea48 [0288.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea48 | out: hHeap=0x28d0000) returned 1 [0288.467] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x118ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.467] SetLastError (dwErrCode=0x0) [0288.468] WriteFile (in: hFile=0x27c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.469] GetLastError () returned 0x0 [0288.469] GetLastError () returned 0x0 [0288.469] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x119ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.469] WriteFile (in: hFile=0x27c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.470] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x11ace, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.470] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd2433ebb, dwHighDateTime=0x1d5fd73)) [0288.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28deee0 [0288.470] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deee0 | out: hHeap=0x28d0000) returned 1 [0288.470] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.470] GetProcessHeap () returned 0xa10000 [0288.470] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x118ce) returned 0xa426c0 [0288.470] GetSystemDefaultLangID () returned 0xa20409 [0288.470] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.471] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0x118ce, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0x118ce, lpOverlapped=0x0) returned 1 [0288.475] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.475] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0x118ce, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0x118ce, lpOverlapped=0x0) returned 1 [0288.476] GetProcessHeap () returned 0xa10000 [0288.476] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.476] CloseHandle (hObject=0x27c) returned 1 [0288.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.476] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0288.476] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28deee0 [0288.476] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\hhQwaa2_.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\hhqwaa2_.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\hhQwaa2_.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\hhqwaa2_.m4a.nefilim")) returned 1 [0288.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deee0 | out: hHeap=0x28d0000) returned 1 [0288.477] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee38 | out: hHeap=0x28d0000) returned 1 [0288.477] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcec8dbd0, ftCreationTime.dwHighDateTime=0x1d5e19e, ftLastAccessTime.dwLowDateTime=0x52cedf90, ftLastAccessTime.dwHighDateTime=0x1d5eb2e, ftLastWriteTime.dwLowDateTime=0x52cedf90, ftLastWriteTime.dwHighDateTime=0x1d5eb2e, nFileSizeHigh=0x0, nFileSizeLow=0x154dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="JDn1qpu0KPYEr.mp3", cAlternateFileName="JDN1QP~1.MP3")) returned 1 [0288.477] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2=".") returned 1 [0288.477] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="..") returned 1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="...") returned 1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="windows") returned -1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="rsa") returned -1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="NTDETECT.COM") returned -1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="ntldr") returned -1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="MSDOS.SYS") returned -1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="IO.SYS") returned 1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="boot.ini") returned 1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="ntuser.dat") returned -1 [0288.478] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="desktop.ini") returned 1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="CONFIG.SYS") returned 1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="RECYCLER") returned -1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="bootmgr") returned 1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="programdata") returned -1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="appdata") returned 1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="program files") returned -1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="program files (x86)") returned -1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="microsoft") returned -1 [0288.479] lstrcmpiW (lpString1="JDn1qpu0KPYEr.mp3", lpString2="sophos") returned -1 [0288.479] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee38 [0288.479] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.479] PathFindExtensionW (pszPath="JDn1qpu0KPYEr.mp3") returned=".mp3" [0288.479] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.480] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.480] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d582890, ftCreationTime.dwHighDateTime=0x1d5e1b0, ftLastAccessTime.dwLowDateTime=0xfe68c0f0, ftLastAccessTime.dwHighDateTime=0x1d5ef39, ftLastWriteTime.dwLowDateTime=0xfe68c0f0, ftLastWriteTime.dwHighDateTime=0x1d5ef39, nFileSizeHigh=0x0, nFileSizeLow=0x6c24, dwReserved0=0x0, dwReserved1=0x0, cFileName="NQy4OfQQ.mp3", cAlternateFileName="")) returned 1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2=".") returned 1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="..") returned 1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="...") returned 1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="windows") returned -1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="rsa") returned -1 [0288.480] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="NTDETECT.COM") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="ntldr") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="MSDOS.SYS") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="IO.SYS") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="boot.ini") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="ntuser.dat") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="desktop.ini") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="CONFIG.SYS") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="RECYCLER") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="bootmgr") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="programdata") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="appdata") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="program files") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="program files (x86)") returned -1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="microsoft") returned 1 [0288.481] lstrcmpiW (lpString1="NQy4OfQQ.mp3", lpString2="sophos") returned -1 [0288.481] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28deee0 [0288.481] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee38 | out: hHeap=0x28d0000) returned 1 [0288.481] PathFindExtensionW (pszPath="NQy4OfQQ.mp3") returned=".mp3" [0288.481] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.481] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.481] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.481] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.481] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.482] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.482] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.482] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.482] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.482] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.482] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.482] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ef73c0, ftCreationTime.dwHighDateTime=0x1d5f0a6, ftLastAccessTime.dwLowDateTime=0x59a7e110, ftLastAccessTime.dwHighDateTime=0x1d5eb90, ftLastWriteTime.dwLowDateTime=0x59a7e110, ftLastWriteTime.dwHighDateTime=0x1d5eb90, nFileSizeHigh=0x0, nFileSizeLow=0xa74c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Nv-VpbQdXg.wav", cAlternateFileName="NV-VPB~1.WAV")) returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2=".") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="..") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="...") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="windows") returned -1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="rsa") returned -1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="NTDETECT.COM") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="ntldr") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="MSDOS.SYS") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="IO.SYS") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="boot.ini") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="ntuser.dat") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="desktop.ini") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="CONFIG.SYS") returned 1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="RECYCLER") returned -1 [0288.482] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="bootmgr") returned 1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="programdata") returned -1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="appdata") returned 1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="program files") returned -1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="program files (x86)") returned -1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="microsoft") returned 1 [0288.483] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="sophos") returned -1 [0288.483] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee38 [0288.483] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deee0 | out: hHeap=0x28d0000) returned 1 [0288.483] PathFindExtensionW (pszPath="Nv-VpbQdXg.wav") returned=".wav" [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.483] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.484] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.484] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.484] lstrcmpiW (lpString1="Nv-VpbQdXg.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.484] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28deee0 [0288.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\Nv-VpbQdXg.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\nv-vpbqdxg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.485] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=42828) returned 1 [0288.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.485] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.485] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.485] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.485] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.487] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.549] GetTickCount () returned 0x11883a5 [0288.549] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0288.549] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0288.549] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xa74c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.549] SetLastError (dwErrCode=0x0) [0288.549] WriteFile (in: hFile=0x27c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.550] GetLastError () returned 0x0 [0288.550] GetLastError () returned 0x0 [0288.550] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xa84c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.550] WriteFile (in: hFile=0x27c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.550] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xa94c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd24f2874, dwHighDateTime=0x1d5fd73)) [0288.550] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28def88 [0288.551] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def88 | out: hHeap=0x28d0000) returned 1 [0288.551] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.551] GetProcessHeap () returned 0xa10000 [0288.551] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa74c) returned 0xa426c0 [0288.551] GetSystemDefaultLangID () returned 0xa20409 [0288.551] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.551] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0xa74c, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0xa74c, lpOverlapped=0x0) returned 1 [0288.554] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.554] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0xa74c, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0xa74c, lpOverlapped=0x0) returned 1 [0288.554] GetProcessHeap () returned 0xa10000 [0288.554] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.554] CloseHandle (hObject=0x27c) returned 1 [0288.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.555] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d22050 [0288.555] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\Nv-VpbQdXg.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\nv-vpbqdxg.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\Rcx0pc\\Nv-VpbQdXg.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\rcx0pc\\nv-vpbqdxg.wav.nefilim")) returned 1 [0288.556] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.556] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deee0 | out: hHeap=0x28d0000) returned 1 [0288.556] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a85af0, ftCreationTime.dwHighDateTime=0x1d5ec58, ftLastAccessTime.dwLowDateTime=0x522ee280, ftLastAccessTime.dwHighDateTime=0x1d5e1cc, ftLastWriteTime.dwLowDateTime=0x522ee280, ftLastWriteTime.dwHighDateTime=0x1d5e1cc, nFileSizeHigh=0x0, nFileSizeLow=0x11dda, dwReserved0=0x0, dwReserved1=0x0, cFileName="VUJjL3Pb3pdw oTagoz.mp3", cAlternateFileName="VUJJL3~1.MP3")) returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2=".") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="..") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="...") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="windows") returned -1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="rsa") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="NTDETECT.COM") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="ntldr") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="MSDOS.SYS") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="IO.SYS") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="boot.ini") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="ntuser.dat") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="desktop.ini") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="CONFIG.SYS") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="RECYCLER") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.556] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="bootmgr") returned 1 [0288.557] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="programdata") returned 1 [0288.557] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="appdata") returned 1 [0288.557] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="program files") returned 1 [0288.557] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="program files (x86)") returned 1 [0288.557] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="microsoft") returned 1 [0288.557] lstrcmpiW (lpString1="VUJjL3Pb3pdw oTagoz.mp3", lpString2="sophos") returned 1 [0288.557] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28deee0 [0288.557] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee38 | out: hHeap=0x28d0000) returned 1 [0288.557] PathFindExtensionW (pszPath="VUJjL3Pb3pdw oTagoz.mp3") returned=".mp3" [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.557] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.557] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1433fe50, ftCreationTime.dwHighDateTime=0x1d5ed86, ftLastAccessTime.dwLowDateTime=0xfcb94ba0, ftLastAccessTime.dwHighDateTime=0x1d5f08b, ftLastWriteTime.dwLowDateTime=0xfcb94ba0, ftLastWriteTime.dwHighDateTime=0x1d5f08b, nFileSizeHigh=0x0, nFileSizeLow=0xf2c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="w-ASn.mp3", cAlternateFileName="")) returned 1 [0288.557] lstrcmpiW (lpString1="w-ASn.mp3", lpString2=".") returned 1 [0288.557] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="..") returned 1 [0288.557] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="...") returned 1 [0288.557] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="windows") returned -1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="rsa") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="NTDETECT.COM") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="ntldr") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="MSDOS.SYS") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="IO.SYS") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="boot.ini") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="ntuser.dat") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="desktop.ini") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="CONFIG.SYS") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="RECYCLER") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="bootmgr") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="programdata") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="appdata") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="program files") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="program files (x86)") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="microsoft") returned 1 [0288.558] lstrcmpiW (lpString1="w-ASn.mp3", lpString2="sophos") returned 1 [0288.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee38 [0288.558] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deee0 | out: hHeap=0x28d0000) returned 1 [0288.558] PathFindExtensionW (pszPath="w-ASn.mp3") returned=".mp3" [0288.558] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.558] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.559] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.559] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1433fe50, ftCreationTime.dwHighDateTime=0x1d5ed86, ftLastAccessTime.dwLowDateTime=0xfcb94ba0, ftLastAccessTime.dwHighDateTime=0x1d5f08b, ftLastWriteTime.dwLowDateTime=0xfcb94ba0, ftLastWriteTime.dwHighDateTime=0x1d5f08b, nFileSizeHigh=0x0, nFileSizeLow=0xf2c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="w-ASn.mp3", cAlternateFileName="")) returned 0 [0288.559] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0288.559] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee38 | out: hHeap=0x28d0000) returned 1 [0288.559] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb0 | out: hHeap=0x28d0000) returned 1 [0288.559] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded28 | out: hHeap=0x28d0000) returned 1 [0288.559] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62a7b9b0, ftCreationTime.dwHighDateTime=0x1d5efa1, ftLastAccessTime.dwLowDateTime=0xb8bbfe90, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0xb8bbfe90, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S_ciMzGd", cAlternateFileName="")) returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2=".") returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="..") returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="...") returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="windows") returned -1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="$RECYCLE.BIN") returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="rsa") returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="NTDETECT.COM") returned 1 [0288.559] lstrcmpiW (lpString1="S_ciMzGd", lpString2="ntldr") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="MSDOS.SYS") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="IO.SYS") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="boot.ini") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="AUTOEXEC.BAT") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="ntuser.dat") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="desktop.ini") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="CONFIG.SYS") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="RECYCLER") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="BOOTSECT.BAK") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="bootmgr") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="programdata") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="appdata") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="program files") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="program files (x86)") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="microsoft") returned 1 [0288.560] lstrcmpiW (lpString1="S_ciMzGd", lpString2="sophos") returned -1 [0288.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28ded28 [0288.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xbe) returned 0x28dedb0 [0288.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded28 | out: hHeap=0x28d0000) returned 1 [0288.560] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0288.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dee78 [0288.560] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28def10 [0288.560] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\*.*", lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62a7b9b0, ftCreationTime.dwHighDateTime=0x1d5efa1, ftLastAccessTime.dwLowDateTime=0xb8bbfe90, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0xb8bbfe90, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0288.561] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.561] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62a7b9b0, ftCreationTime.dwHighDateTime=0x1d5efa1, ftLastAccessTime.dwLowDateTime=0xb8bbfe90, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0xb8bbfe90, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0288.561] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.561] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.561] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73584c60, ftCreationTime.dwHighDateTime=0x1d5e390, ftLastAccessTime.dwLowDateTime=0xf8daddd0, ftLastAccessTime.dwHighDateTime=0x1d5e0c5, ftLastWriteTime.dwLowDateTime=0xf8daddd0, ftLastWriteTime.dwHighDateTime=0x1d5e0c5, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="Dau5CHGboQpZZcdnx0YM.m4a", cAlternateFileName="DAU5CH~1.M4A")) returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2=".") returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="..") returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="...") returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="windows") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="rsa") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="NTDETECT.COM") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="ntldr") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="MSDOS.SYS") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="IO.SYS") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="boot.ini") returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="ntuser.dat") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="desktop.ini") returned -1 [0288.561] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="CONFIG.SYS") returned 1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="RECYCLER") returned -1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="bootmgr") returned 1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="programdata") returned -1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="appdata") returned 1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="program files") returned -1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="program files (x86)") returned -1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="microsoft") returned -1 [0288.562] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="sophos") returned -1 [0288.562] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x2d22050 [0288.562] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def10 | out: hHeap=0x28d0000) returned 1 [0288.562] PathFindExtensionW (pszPath="Dau5CHGboQpZZcdnx0YM.m4a") returned=".m4a" [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.562] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.563] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.563] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.563] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.563] lstrcmpiW (lpString1="Dau5CHGboQpZZcdnx0YM.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.563] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x28def10 [0288.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\Dau5CHGboQpZZcdnx0YM.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\dau5chgboqpzzcdnx0ym.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.564] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=1512) returned 1 [0288.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.564] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.564] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0288.564] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0288.564] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.566] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.568] GetTickCount () returned 0x11883b4 [0288.568] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0288.568] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0288.568] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x5e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.568] SetLastError (dwErrCode=0x0) [0288.568] WriteFile (in: hFile=0x27c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.569] GetLastError () returned 0x0 [0288.569] GetLastError () returned 0x0 [0288.569] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x6e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.569] WriteFile (in: hFile=0x27c, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.570] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x7e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.570] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd2518e0c, dwHighDateTime=0x1d5fd73)) [0288.570] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28ded38 [0288.570] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded38 | out: hHeap=0x28d0000) returned 1 [0288.570] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.570] GetProcessHeap () returned 0xa10000 [0288.570] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5e8) returned 0xa34b88 [0288.570] GetSystemDefaultLangID () returned 0xa20409 [0288.570] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.570] ReadFile (in: hFile=0x27c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x5e8, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26edfec*=0x5e8, lpOverlapped=0x0) returned 1 [0288.570] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.570] WriteFile (in: hFile=0x27c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x5e8, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26edfe0*=0x5e8, lpOverlapped=0x0) returned 1 [0288.570] GetProcessHeap () returned 0xa10000 [0288.571] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0288.571] CloseHandle (hObject=0x27c) returned 1 [0288.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0288.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0288.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.571] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.571] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x2d22118 [0288.571] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\Dau5CHGboQpZZcdnx0YM.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\dau5chgboqpzzcdnx0ym.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\Dau5CHGboQpZZcdnx0YM.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\dau5chgboqpzzcdnx0ym.m4a.nefilim")) returned 1 [0288.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22118 | out: hHeap=0x28d0000) returned 1 [0288.572] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def10 | out: hHeap=0x28d0000) returned 1 [0288.572] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc06dba00, ftCreationTime.dwHighDateTime=0x1d5e36b, ftLastAccessTime.dwLowDateTime=0x891517a0, ftLastAccessTime.dwHighDateTime=0x1d5e128, ftLastWriteTime.dwLowDateTime=0x891517a0, ftLastWriteTime.dwHighDateTime=0x1d5e128, nFileSizeHigh=0x0, nFileSizeLow=0x17e57, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="DBjFvwcBmzp5Oz.wav", cAlternateFileName="DBJFVW~1.WAV")) returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2=".") returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="..") returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="...") returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="windows") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="rsa") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="NTDETECT.COM") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="ntldr") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="MSDOS.SYS") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="IO.SYS") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="boot.ini") returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="ntuser.dat") returned -1 [0288.572] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="desktop.ini") returned -1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="CONFIG.SYS") returned 1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="RECYCLER") returned -1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="bootmgr") returned 1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="programdata") returned -1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="appdata") returned 1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="program files") returned -1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="program files (x86)") returned -1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="microsoft") returned -1 [0288.573] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="sophos") returned -1 [0288.573] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28def10 [0288.573] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.573] PathFindExtensionW (pszPath="DBjFvwcBmzp5Oz.wav") returned=".wav" [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.573] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.574] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.574] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.574] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.574] lstrcmpiW (lpString1="DBjFvwcBmzp5Oz.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d22050 [0288.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\DBjFvwcBmzp5Oz.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\dbjfvwcbmzp5oz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.574] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=97879) returned 1 [0288.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.574] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.574] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.574] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.574] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.575] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.577] GetTickCount () returned 0x11883b4 [0288.577] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0288.577] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0288.577] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x17e57, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.577] SetLastError (dwErrCode=0x0) [0288.577] WriteFile (in: hFile=0x27c, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.578] GetLastError () returned 0x0 [0288.578] GetLastError () returned 0x0 [0288.578] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x17f57, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.578] WriteFile (in: hFile=0x27c, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.579] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x18057, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.579] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd253f03e, dwHighDateTime=0x1d5fd73)) [0288.579] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28ded38 [0288.579] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded38 | out: hHeap=0x28d0000) returned 1 [0288.579] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.579] GetProcessHeap () returned 0xa10000 [0288.579] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x17e57) returned 0xa426c0 [0288.581] GetSystemDefaultLangID () returned 0xa20409 [0288.581] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.581] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0x17e57, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0x17e57, lpOverlapped=0x0) returned 1 [0288.588] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.588] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0x17e57, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0x17e57, lpOverlapped=0x0) returned 1 [0288.589] GetProcessHeap () returned 0xa10000 [0288.589] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.589] CloseHandle (hObject=0x27c) returned 1 [0288.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.589] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xc0) returned 0x2d22108 [0288.589] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\DBjFvwcBmzp5Oz.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\dbjfvwcbmzp5oz.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\DBjFvwcBmzp5Oz.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\dbjfvwcbmzp5oz.wav.nefilim")) returned 1 [0288.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22108 | out: hHeap=0x28d0000) returned 1 [0288.590] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.590] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6617a410, ftCreationTime.dwHighDateTime=0x1d5ee99, ftLastAccessTime.dwLowDateTime=0xff46d6c0, ftLastAccessTime.dwHighDateTime=0x1d5e3c6, ftLastWriteTime.dwLowDateTime=0xff46d6c0, ftLastWriteTime.dwHighDateTime=0x1d5e3c6, nFileSizeHigh=0x0, nFileSizeLow=0x25b2, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="g3RoIxRmV3.m4a", cAlternateFileName="G3ROIX~1.M4A")) returned 1 [0288.590] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2=".") returned 1 [0288.590] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="..") returned 1 [0288.590] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="...") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="windows") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="rsa") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="NTDETECT.COM") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="ntldr") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="MSDOS.SYS") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="IO.SYS") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="boot.ini") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="ntuser.dat") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="desktop.ini") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="CONFIG.SYS") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="RECYCLER") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="bootmgr") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="programdata") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="appdata") returned 1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="program files") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="program files (x86)") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="microsoft") returned -1 [0288.591] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="sophos") returned -1 [0288.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x2d22050 [0288.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def10 | out: hHeap=0x28d0000) returned 1 [0288.591] PathFindExtensionW (pszPath="g3RoIxRmV3.m4a") returned=".m4a" [0288.591] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.591] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.592] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.592] lstrcmpiW (lpString1="g3RoIxRmV3.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.592] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28def10 [0288.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\g3RoIxRmV3.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\g3roixrmv3.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0288.592] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x26edfc8 | out: lpFileSize=0x26edfc8*=9650) returned 1 [0288.592] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0288.593] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.593] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0288.593] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.593] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.593] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0288.593] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26edf88*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26edf88*=0x100) returned 1 [0288.655] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26edf84*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26edf84*=0x100) returned 1 [0288.657] GetTickCount () returned 0x1188412 [0288.679] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0288.679] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0288.679] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x25b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.679] SetLastError (dwErrCode=0x0) [0288.679] WriteFile (in: hFile=0x27c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.681] GetLastError () returned 0x0 [0288.681] GetLastError () returned 0x0 [0288.681] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x26b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.681] WriteFile (in: hFile=0x27c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26edfe0*=0x100, lpOverlapped=0x0) returned 1 [0288.681] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x27b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.681] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26edf9c | out: lpSystemTimeAsFileTime=0x26edf9c*(dwLowDateTime=0xd263465b, dwHighDateTime=0x1d5fd73)) [0288.681] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28ded38 [0288.681] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded38 | out: hHeap=0x28d0000) returned 1 [0288.681] WriteFile (in: hFile=0x27c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26edfe0*=0x7, lpOverlapped=0x0) returned 1 [0288.681] GetProcessHeap () returned 0xa10000 [0288.681] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x25b2) returned 0xa426c0 [0288.681] GetSystemDefaultLangID () returned 0xa20409 [0288.682] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.682] ReadFile (in: hFile=0x27c, lpBuffer=0xa426c0, nNumberOfBytesToRead=0x25b2, lpNumberOfBytesRead=0x26edfec, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesRead=0x26edfec*=0x25b2, lpOverlapped=0x0) returned 1 [0288.682] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.682] WriteFile (in: hFile=0x27c, lpBuffer=0xa426c0*, nNumberOfBytesToWrite=0x25b2, lpNumberOfBytesWritten=0x26edfe0, lpOverlapped=0x0 | out: lpBuffer=0xa426c0*, lpNumberOfBytesWritten=0x26edfe0*=0x25b2, lpOverlapped=0x0) returned 1 [0288.683] GetProcessHeap () returned 0xa10000 [0288.751] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa426c0 | out: hHeap=0xa10000) returned 1 [0288.751] CloseHandle (hObject=0x27c) returned 1 [0288.751] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.751] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0288.751] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0288.751] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.751] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d220f8 [0288.751] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\g3RoIxRmV3.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\g3roixrmv3.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\7CmHrL5TaYcm\\S_ciMzGd\\g3RoIxRmV3.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\7cmhrl5taycm\\s_cimzgd\\g3roixrmv3.m4a.nefilim")) returned 1 [0288.752] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d220f8 | out: hHeap=0x28d0000) returned 1 [0288.752] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def10 | out: hHeap=0x28d0000) returned 1 [0288.752] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb488d5d0, ftCreationTime.dwHighDateTime=0x1d5ed2f, ftLastAccessTime.dwLowDateTime=0x3b841460, ftLastAccessTime.dwHighDateTime=0x1d5e12c, ftLastWriteTime.dwLowDateTime=0x3b841460, ftLastWriteTime.dwHighDateTime=0x1d5e12c, nFileSizeHigh=0x0, nFileSizeLow=0x3cf8, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="iKHxCoiwFb_3sYDGdqB.mp3", cAlternateFileName="IKHXCO~1.MP3")) returned 1 [0288.752] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2=".") returned 1 [0288.752] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="..") returned 1 [0288.752] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="...") returned 1 [0288.752] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="windows") returned -1 [0288.752] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="rsa") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="NTDETECT.COM") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="ntldr") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="MSDOS.SYS") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="IO.SYS") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="boot.ini") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="ntuser.dat") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="desktop.ini") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="CONFIG.SYS") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="RECYCLER") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="bootmgr") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="programdata") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="appdata") returned 1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="program files") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="program files (x86)") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="microsoft") returned -1 [0288.753] lstrcmpiW (lpString1="iKHxCoiwFb_3sYDGdqB.mp3", lpString2="sophos") returned -1 [0288.753] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28def10 [0288.753] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.753] PathFindExtensionW (pszPath="iKHxCoiwFb_3sYDGdqB.mp3") returned=".mp3" [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.753] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.754] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.754] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.754] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.754] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56bcc020, ftCreationTime.dwHighDateTime=0x1d5f053, ftLastAccessTime.dwLowDateTime=0x33a076f0, ftLastAccessTime.dwHighDateTime=0x1d5e7ec, ftLastWriteTime.dwLowDateTime=0x33a076f0, ftLastWriteTime.dwHighDateTime=0x1d5e7ec, nFileSizeHigh=0x0, nFileSizeLow=0x62a4, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="Yc9PBo1GoUdd-pCsw.mp3", cAlternateFileName="YC9PBO~1.MP3")) returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2=".") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="..") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="...") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="windows") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="rsa") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="NTDETECT.COM") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="ntldr") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="MSDOS.SYS") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="IO.SYS") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="boot.ini") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="ntuser.dat") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="desktop.ini") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="CONFIG.SYS") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="RECYCLER") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="bootmgr") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="programdata") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="appdata") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="program files") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="program files (x86)") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="microsoft") returned 1 [0288.754] lstrcmpiW (lpString1="Yc9PBo1GoUdd-pCsw.mp3", lpString2="sophos") returned 1 [0288.754] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x2d22050 [0288.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28def10 | out: hHeap=0x28d0000) returned 1 [0288.754] PathFindExtensionW (pszPath="Yc9PBo1GoUdd-pCsw.mp3") returned=".mp3" [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.755] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.755] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26ee0d8 | out: lpFindFileData=0x26ee0d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56bcc020, ftCreationTime.dwHighDateTime=0x1d5f053, ftLastAccessTime.dwLowDateTime=0x33a076f0, ftLastAccessTime.dwHighDateTime=0x1d5e7ec, ftLastWriteTime.dwLowDateTime=0x33a076f0, ftLastWriteTime.dwHighDateTime=0x1d5e7ec, nFileSizeHigh=0x0, nFileSizeLow=0x62a4, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="Yc9PBo1GoUdd-pCsw.mp3", cAlternateFileName="YC9PBO~1.MP3")) returned 0 [0288.755] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0288.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22050 | out: hHeap=0x28d0000) returned 1 [0288.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee78 | out: hHeap=0x28d0000) returned 1 [0288.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.755] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62a7b9b0, ftCreationTime.dwHighDateTime=0x1d5efa1, ftLastAccessTime.dwLowDateTime=0xb8bbfe90, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0xb8bbfe90, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S_ciMzGd", cAlternateFileName="")) returned 0 [0288.755] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0288.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb0 | out: hHeap=0x28d0000) returned 1 [0288.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0288.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0288.755] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5f385c0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0xf088b7d0, ftLastAccessTime.dwHighDateTime=0x1d5e71c, ftLastWriteTime.dwLowDateTime=0xf088b7d0, ftLastWriteTime.dwHighDateTime=0x1d5e71c, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="j8AANdJso9G.wav", cAlternateFileName="J8AAND~1.WAV")) returned 1 [0288.755] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2=".") returned 1 [0288.755] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="..") returned 1 [0288.755] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="...") returned 1 [0288.755] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="windows") returned -1 [0288.755] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="rsa") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="NTDETECT.COM") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="ntldr") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="MSDOS.SYS") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="IO.SYS") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="boot.ini") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="ntuser.dat") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="desktop.ini") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="CONFIG.SYS") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="RECYCLER") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="bootmgr") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="programdata") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="appdata") returned 1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="program files") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="program files (x86)") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="microsoft") returned -1 [0288.756] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="sophos") returned -1 [0288.756] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe08 [0288.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.756] PathFindExtensionW (pszPath="j8AANdJso9G.wav") returned=".wav" [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.756] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.757] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.757] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.757] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.757] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.757] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.757] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.757] lstrcmpiW (lpString1="j8AANdJso9G.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0288.757] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\j8AANdJso9G.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\j8aandjso9g.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0288.757] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=1058) returned 1 [0288.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0288.757] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.757] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0288.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.757] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0288.758] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0288.758] GetTickCount () returned 0x1188470 [0288.758] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0288.758] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0288.758] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x422, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.758] SetLastError (dwErrCode=0x0) [0288.758] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.759] GetLastError () returned 0x0 [0288.759] GetLastError () returned 0x0 [0288.759] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x522, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.760] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.760] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x622, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.760] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd26e27f4, dwHighDateTime=0x1d5fd73)) [0288.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0288.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.760] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0288.760] GetProcessHeap () returned 0xa10000 [0288.760] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x422) returned 0xa34b88 [0288.760] GetSystemDefaultLangID () returned 0xa20409 [0288.760] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.760] ReadFile (in: hFile=0x274, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x422, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee62c*=0x422, lpOverlapped=0x0) returned 1 [0288.760] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.760] WriteFile (in: hFile=0x274, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x422, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee620*=0x422, lpOverlapped=0x0) returned 1 [0288.760] GetProcessHeap () returned 0xa10000 [0288.760] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0288.760] CloseHandle (hObject=0x274) returned 1 [0288.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.761] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0288.761] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded28 [0288.761] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\j8AANdJso9G.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\j8aandjso9g.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\j8AANdJso9G.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\j8aandjso9g.wav.nefilim")) returned 1 [0288.762] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded28 | out: hHeap=0x28d0000) returned 1 [0288.762] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.762] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67fbe820, ftCreationTime.dwHighDateTime=0x1d5e44b, ftLastAccessTime.dwLowDateTime=0xf9f943a0, ftLastAccessTime.dwHighDateTime=0x1d5e219, ftLastWriteTime.dwLowDateTime=0xf9f943a0, ftLastWriteTime.dwHighDateTime=0x1d5e219, nFileSizeHigh=0x0, nFileSizeLow=0x1599a, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="oarYoxHwu.wav", cAlternateFileName="OARYOX~1.WAV")) returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2=".") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="..") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="...") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="windows") returned -1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="rsa") returned -1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="NTDETECT.COM") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="ntldr") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="MSDOS.SYS") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="IO.SYS") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="boot.ini") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="ntuser.dat") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="desktop.ini") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="CONFIG.SYS") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="RECYCLER") returned -1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="bootmgr") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="programdata") returned -1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="appdata") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="program files") returned -1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="program files (x86)") returned -1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="microsoft") returned 1 [0288.762] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="sophos") returned -1 [0288.762] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0288.763] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0288.763] PathFindExtensionW (pszPath="oarYoxHwu.wav") returned=".wav" [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.763] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.763] lstrcmpiW (lpString1="oarYoxHwu.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.763] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe08 [0288.763] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\oarYoxHwu.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\oaryoxhwu.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0288.763] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=88474) returned 1 [0288.763] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.763] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0288.764] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.764] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0288.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.764] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.764] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0288.764] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0288.766] GetTickCount () returned 0x1188470 [0288.766] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea48 [0288.766] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea48 | out: hHeap=0x28d0000) returned 1 [0288.766] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1599a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.766] SetLastError (dwErrCode=0x0) [0288.766] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.767] GetLastError () returned 0x0 [0288.767] GetLastError () returned 0x0 [0288.767] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15a9a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.768] WriteFile (in: hFile=0x274, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.768] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15b9a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.768] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd2708ba2, dwHighDateTime=0x1d5fd73)) [0288.768] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe80 [0288.768] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0288.768] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0288.768] GetProcessHeap () returned 0xa10000 [0288.768] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1599a) returned 0xa406b0 [0288.769] GetSystemDefaultLangID () returned 0xa20409 [0288.769] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.769] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x1599a, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x1599a, lpOverlapped=0x0) returned 1 [0288.775] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.775] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x1599a, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x1599a, lpOverlapped=0x0) returned 1 [0288.775] GetProcessHeap () returned 0xa10000 [0288.775] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0288.775] CloseHandle (hObject=0x274) returned 1 [0288.776] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.776] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.776] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.776] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0288.776] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe80 [0288.776] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\oarYoxHwu.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\oaryoxhwu.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\oarYoxHwu.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\oaryoxhwu.wav.nefilim")) returned 1 [0288.777] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0288.777] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0288.777] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bab6eb0, ftCreationTime.dwHighDateTime=0x1d5e1a4, ftLastAccessTime.dwLowDateTime=0xd015ebc0, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0xd015ebc0, ftLastWriteTime.dwHighDateTime=0x1d5e0ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="S4we-hWe", cAlternateFileName="")) returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2=".") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="..") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="...") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="windows") returned -1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="$RECYCLE.BIN") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="rsa") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="NTDETECT.COM") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="ntldr") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="MSDOS.SYS") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="IO.SYS") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="boot.ini") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="AUTOEXEC.BAT") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="ntuser.dat") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="desktop.ini") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="CONFIG.SYS") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="RECYCLER") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="BOOTSECT.BAK") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="bootmgr") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="programdata") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="appdata") returned 1 [0288.777] lstrcmpiW (lpString1="S4we-hWe", lpString2="program files") returned 1 [0288.778] lstrcmpiW (lpString1="S4we-hWe", lpString2="program files (x86)") returned 1 [0288.778] lstrcmpiW (lpString1="S4we-hWe", lpString2="microsoft") returned 1 [0288.778] lstrcmpiW (lpString1="S4we-hWe", lpString2="sophos") returned -1 [0288.778] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe08 [0288.778] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.778] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0288.778] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe80 [0288.778] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28deca0 [0288.778] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bab6eb0, ftCreationTime.dwHighDateTime=0x1d5e1a4, ftLastAccessTime.dwLowDateTime=0xd015ebc0, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0xd015ebc0, ftLastWriteTime.dwHighDateTime=0x1d5e0ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe08, dwReserved1=0x4000000, cFileName=".", cAlternateFileName="")) returned 0xa2f9a0 [0288.778] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.778] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bab6eb0, ftCreationTime.dwHighDateTime=0x1d5e1a4, ftLastAccessTime.dwLowDateTime=0xd015ebc0, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0xd015ebc0, ftLastWriteTime.dwHighDateTime=0x1d5e0ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbe08, dwReserved1=0x4000000, cFileName="..", cAlternateFileName="")) returned 1 [0288.778] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.778] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.778] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a3eb70, ftCreationTime.dwHighDateTime=0x1d5eadb, ftLastAccessTime.dwLowDateTime=0xa07071b0, ftLastAccessTime.dwHighDateTime=0x1d5e655, ftLastWriteTime.dwLowDateTime=0xa07071b0, ftLastWriteTime.dwHighDateTime=0x1d5e655, nFileSizeHigh=0x0, nFileSizeLow=0x7029, dwReserved0=0x28dbe08, dwReserved1=0x4000000, cFileName="blOUkFsRx7.mp3", cAlternateFileName="BLOUKF~1.MP3")) returned 1 [0288.778] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2=".") returned 1 [0288.778] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="..") returned 1 [0288.778] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="...") returned 1 [0288.778] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="windows") returned -1 [0288.778] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.778] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="rsa") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="NTDETECT.COM") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="ntldr") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="MSDOS.SYS") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="IO.SYS") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="boot.ini") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="ntuser.dat") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="desktop.ini") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="CONFIG.SYS") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="RECYCLER") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="BOOTSECT.BAK") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="bootmgr") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="programdata") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="appdata") returned 1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="program files") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="program files (x86)") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="microsoft") returned -1 [0288.779] lstrcmpiW (lpString1="blOUkFsRx7.mp3", lpString2="sophos") returned -1 [0288.779] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded18 [0288.779] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.779] PathFindExtensionW (pszPath="blOUkFsRx7.mp3") returned=".mp3" [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.779] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.780] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.780] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c230aa0, ftCreationTime.dwHighDateTime=0x1d5e70c, ftLastAccessTime.dwLowDateTime=0x51966cf0, ftLastAccessTime.dwHighDateTime=0x1d5e878, ftLastWriteTime.dwLowDateTime=0x51966cf0, ftLastWriteTime.dwHighDateTime=0x1d5e878, nFileSizeHigh=0x0, nFileSizeLow=0x6335, dwReserved0=0x28dbe08, dwReserved1=0x4000000, cFileName="KNa3cEcPWCGM1SZ.wav", cAlternateFileName="KNA3CE~1.WAV")) returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2=".") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="..") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="...") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="windows") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="rsa") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="NTDETECT.COM") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="ntldr") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="MSDOS.SYS") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="IO.SYS") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="boot.ini") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="ntuser.dat") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="desktop.ini") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="CONFIG.SYS") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="RECYCLER") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="bootmgr") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="programdata") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="appdata") returned 1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="program files") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="program files (x86)") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="microsoft") returned -1 [0288.780] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="sophos") returned -1 [0288.780] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dedb0 [0288.780] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded18 | out: hHeap=0x28d0000) returned 1 [0288.780] PathFindExtensionW (pszPath="KNa3cEcPWCGM1SZ.wav") returned=".wav" [0288.780] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.780] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.780] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.780] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.781] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.781] lstrcmpiW (lpString1="KNa3cEcPWCGM1SZ.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0288.781] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\KNa3cEcPWCGM1SZ.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\s4we-hwe\\kna3cecpwcgm1sz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0288.781] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=25397) returned 1 [0288.781] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0288.782] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.782] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0288.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0288.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.782] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0288.782] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0288.782] GetTickCount () returned 0x118848f [0288.782] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0288.782] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0288.782] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x6335, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.783] SetLastError (dwErrCode=0x0) [0288.783] WriteFile (in: hFile=0x278, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0288.784] GetLastError () returned 0x0 [0288.784] GetLastError () returned 0x0 [0288.784] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x6435, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.784] WriteFile (in: hFile=0x278, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0288.784] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x6535, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.784] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd272ee11, dwHighDateTime=0x1d5fd73)) [0288.784] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28ded38 [0288.784] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded38 | out: hHeap=0x28d0000) returned 1 [0288.784] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0288.784] GetProcessHeap () returned 0xa10000 [0288.784] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x6335) returned 0xa416b8 [0288.784] GetSystemDefaultLangID () returned 0xa20409 [0288.784] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.784] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x6335, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x6335, lpOverlapped=0x0) returned 1 [0288.786] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.786] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x6335, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x6335, lpOverlapped=0x0) returned 1 [0288.786] GetProcessHeap () returned 0xa10000 [0288.786] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0288.786] CloseHandle (hObject=0x278) returned 1 [0288.786] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0288.786] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.786] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0288.786] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de030 | out: hHeap=0x28d0000) returned 1 [0288.786] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dee48 [0288.786] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\KNa3cEcPWCGM1SZ.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\s4we-hwe\\kna3cecpwcgm1sz.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\KNa3cEcPWCGM1SZ.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\s4we-hwe\\kna3cecpwcgm1sz.wav.nefilim")) returned 1 [0288.787] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dee48 | out: hHeap=0x28d0000) returned 1 [0288.787] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.787] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb93ab80, ftCreationTime.dwHighDateTime=0x1d5e2dd, ftLastAccessTime.dwLowDateTime=0xa87e5b30, ftLastAccessTime.dwHighDateTime=0x1d5e4be, ftLastWriteTime.dwLowDateTime=0xa87e5b30, ftLastWriteTime.dwHighDateTime=0x1d5e4be, nFileSizeHigh=0x0, nFileSizeLow=0x9610, dwReserved0=0x28dbe08, dwReserved1=0x4000000, cFileName="mCDFF4HHWEb4LH-D8.m4a", cAlternateFileName="MCDFF4~1.M4A")) returned 1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2=".") returned 1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="..") returned 1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="...") returned 1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="windows") returned -1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="rsa") returned -1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="NTDETECT.COM") returned -1 [0288.787] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="ntldr") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="MSDOS.SYS") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="IO.SYS") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="boot.ini") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="ntuser.dat") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="desktop.ini") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="CONFIG.SYS") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="RECYCLER") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="bootmgr") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="programdata") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="appdata") returned 1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="program files") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="program files (x86)") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="microsoft") returned -1 [0288.788] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="sophos") returned -1 [0288.788] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28deca0 [0288.788] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb0 | out: hHeap=0x28d0000) returned 1 [0288.788] PathFindExtensionW (pszPath="mCDFF4HHWEb4LH-D8.m4a") returned=".m4a" [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.788] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.789] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.789] lstrcmpiW (lpString1="mCDFF4HHWEb4LH-D8.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded48 [0288.789] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\mCDFF4HHWEb4LH-D8.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\s4we-hwe\\mcdff4hhweb4lh-d8.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0288.789] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=38416) returned 1 [0288.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0288.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.789] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0288.789] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0288.789] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.789] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0288.790] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0288.790] GetTickCount () returned 0x118848f [0288.790] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0288.790] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0288.790] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.790] SetLastError (dwErrCode=0x0) [0288.790] WriteFile (in: hFile=0x278, lpBuffer=0x2d21828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d21828*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0288.791] GetLastError () returned 0x0 [0288.791] GetLastError () returned 0x0 [0288.791] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.791] WriteFile (in: hFile=0x278, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0288.791] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.791] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd272ee11, dwHighDateTime=0x1d5fd73)) [0288.791] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dedf0 [0288.791] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedf0 | out: hHeap=0x28d0000) returned 1 [0288.791] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0288.791] GetProcessHeap () returned 0xa10000 [0288.791] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9610) returned 0xa416b8 [0288.792] GetSystemDefaultLangID () returned 0xa20409 [0288.792] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.792] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x9610, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x9610, lpOverlapped=0x0) returned 1 [0288.794] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.794] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x9610, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x9610, lpOverlapped=0x0) returned 1 [0288.794] GetProcessHeap () returned 0xa10000 [0288.794] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0288.795] CloseHandle (hObject=0x278) returned 1 [0288.795] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21828 | out: hHeap=0x28d0000) returned 1 [0288.795] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0288.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.796] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dedf0 [0288.796] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\mCDFF4HHWEb4LH-D8.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\s4we-hwe\\mcdff4hhweb4lh-d8.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\S4we-hWe\\mCDFF4HHWEb4LH-D8.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\s4we-hwe\\mcdff4hhweb4lh-d8.m4a.nefilim")) returned 1 [0288.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedf0 | out: hHeap=0x28d0000) returned 1 [0288.796] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded48 | out: hHeap=0x28d0000) returned 1 [0288.796] FindNextFileW (in: hFindFile=0xa2f9a0, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb93ab80, ftCreationTime.dwHighDateTime=0x1d5e2dd, ftLastAccessTime.dwLowDateTime=0xa87e5b30, ftLastAccessTime.dwHighDateTime=0x1d5e4be, ftLastWriteTime.dwLowDateTime=0xa87e5b30, ftLastWriteTime.dwHighDateTime=0x1d5e4be, nFileSizeHigh=0x0, nFileSizeLow=0x9610, dwReserved0=0x28dbe08, dwReserved1=0x4000000, cFileName="mCDFF4HHWEb4LH-D8.m4a", cAlternateFileName="MCDFF4~1.M4A")) returned 0 [0288.796] FindClose (in: hFindFile=0xa2f9a0 | out: hFindFile=0xa2f9a0) returned 1 [0288.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0288.845] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.845] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21ea86e0, ftCreationTime.dwHighDateTime=0x1d5e683, ftLastAccessTime.dwLowDateTime=0x84939a90, ftLastAccessTime.dwHighDateTime=0x1d5e24e, ftLastWriteTime.dwLowDateTime=0x84939a90, ftLastWriteTime.dwHighDateTime=0x1d5e24e, nFileSizeHigh=0x0, nFileSizeLow=0x93b1, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="tGXX4NuJM00Xb7go.wav", cAlternateFileName="TGXX4N~1.WAV")) returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2=".") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="..") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="...") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="windows") returned -1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="rsa") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="NTDETECT.COM") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="ntldr") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="MSDOS.SYS") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="IO.SYS") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="boot.ini") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="ntuser.dat") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="desktop.ini") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="CONFIG.SYS") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="RECYCLER") returned 1 [0288.845] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="bootmgr") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="programdata") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="appdata") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="program files") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="program files (x86)") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="microsoft") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="sophos") returned 1 [0288.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe80 [0288.846] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0288.846] PathFindExtensionW (pszPath="tGXX4NuJM00Xb7go.wav") returned=".wav" [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.846] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.846] lstrcmpiW (lpString1="tGXX4NuJM00Xb7go.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd90 [0288.847] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\tGXX4NuJM00Xb7go.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\tgxx4nujm00xb7go.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0288.847] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=37809) returned 1 [0288.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0288.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.847] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0288.847] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.847] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0288.848] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0288.849] GetTickCount () returned 0x11884ce [0288.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0288.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0288.849] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x93b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.849] SetLastError (dwErrCode=0x0) [0288.849] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.850] GetLastError () returned 0x0 [0288.850] GetLastError () returned 0x0 [0288.850] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x94b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.850] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.851] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x95b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.851] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd27c76ce, dwHighDateTime=0x1d5fd73)) [0288.851] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe18 [0288.851] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0288.851] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0288.851] GetProcessHeap () returned 0xa10000 [0288.851] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x93b1) returned 0xa406b0 [0288.851] GetSystemDefaultLangID () returned 0xa20409 [0288.851] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.851] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x93b1, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x93b1, lpOverlapped=0x0) returned 1 [0288.853] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.853] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x93b1, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x93b1, lpOverlapped=0x0) returned 1 [0288.853] GetProcessHeap () returned 0xa10000 [0288.853] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0288.853] CloseHandle (hObject=0x274) returned 1 [0288.853] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.853] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de0c0 | out: hHeap=0x28d0000) returned 1 [0288.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.854] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0288.854] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\tGXX4NuJM00Xb7go.wav" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\tgxx4nujm00xb7go.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\tGXX4NuJM00Xb7go.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\tgxx4nujm00xb7go.wav.nefilim")) returned 1 [0288.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.854] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.854] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24f95dd0, ftCreationTime.dwHighDateTime=0x1d5e6e1, ftLastAccessTime.dwLowDateTime=0x55314900, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x55314900, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x9523, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="uDKR2jPF2AB4Pa.m4a", cAlternateFileName="UDKR2J~1.M4A")) returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2=".") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="..") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="...") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="windows") returned -1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="rsa") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="NTDETECT.COM") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="ntldr") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="MSDOS.SYS") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="IO.SYS") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="boot.ini") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="ntuser.dat") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="desktop.ini") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="CONFIG.SYS") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="RECYCLER") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="bootmgr") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="programdata") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="appdata") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="program files") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="program files (x86)") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="microsoft") returned 1 [0288.855] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="sophos") returned 1 [0288.855] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd90 [0288.855] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0288.855] PathFindExtensionW (pszPath="uDKR2jPF2AB4Pa.m4a") returned=".m4a" [0288.855] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.855] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.855] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.855] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.855] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.856] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.856] lstrcmpiW (lpString1="uDKR2jPF2AB4Pa.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.856] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe18 [0288.856] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\uDKR2jPF2AB4Pa.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\udkr2jpf2ab4pa.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0288.856] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=38179) returned 1 [0288.856] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.856] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0288.856] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.856] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0288.856] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.857] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0288.857] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0288.857] GetTickCount () returned 0x11884ce [0288.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0288.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0288.857] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9523, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.857] SetLastError (dwErrCode=0x0) [0288.857] WriteFile (in: hFile=0x274, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.858] GetLastError () returned 0x0 [0288.858] GetLastError () returned 0x0 [0288.858] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9623, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.858] WriteFile (in: hFile=0x274, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0288.858] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9723, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.858] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd27c76ce, dwHighDateTime=0x1d5fd73)) [0288.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea0 [0288.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea0 | out: hHeap=0x28d0000) returned 1 [0288.858] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0288.859] GetProcessHeap () returned 0xa10000 [0288.859] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9523) returned 0xa406b0 [0288.859] GetSystemDefaultLangID () returned 0xa20409 [0288.859] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.859] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x9523, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x9523, lpOverlapped=0x0) returned 1 [0288.864] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.865] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x9523, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x9523, lpOverlapped=0x0) returned 1 [0288.865] GetProcessHeap () returned 0xa10000 [0288.865] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0288.867] CloseHandle (hObject=0x274) returned 1 [0288.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0288.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de000 | out: hHeap=0x28d0000) returned 1 [0288.867] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0288.867] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\uDKR2jPF2AB4Pa.m4a" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\udkr2jpf2ab4pa.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\1J7ClV2R\\IeHqixTzIN\\uDKR2jPF2AB4Pa.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\1j7clv2r\\iehqixtzin\\udkr2jpf2ab4pa.m4a.nefilim")) returned 1 [0288.868] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0288.868] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0288.868] FindNextFileW (in: hFindFile=0xa2f360, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24f95dd0, ftCreationTime.dwHighDateTime=0x1d5e6e1, ftLastAccessTime.dwLowDateTime=0x55314900, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x55314900, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x9523, dwReserved0=0x28de7f8, dwReserved1=0x1000000, cFileName="uDKR2jPF2AB4Pa.m4a", cAlternateFileName="UDKR2J~1.M4A")) returned 0 [0288.869] FindClose (in: hFindFile=0xa2f360 | out: hFindFile=0xa2f360) returned 1 [0288.870] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0288.870] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.870] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.870] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede69860, ftCreationTime.dwHighDateTime=0x1d5ed40, ftLastAccessTime.dwLowDateTime=0xb5eab080, ftLastAccessTime.dwHighDateTime=0x1d5f034, ftLastWriteTime.dwLowDateTime=0xb5eab080, ftLastWriteTime.dwHighDateTime=0x1d5f034, nFileSizeHigh=0x0, nFileSizeLow=0x15cec, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="kl3uP560p7fcapWqM7X.mp3", cAlternateFileName="KL3UP5~1.MP3")) returned 1 [0288.870] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2=".") returned 1 [0288.870] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="..") returned 1 [0288.870] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="...") returned 1 [0288.870] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="windows") returned -1 [0288.870] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="rsa") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="NTDETECT.COM") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="ntldr") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="MSDOS.SYS") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="IO.SYS") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="boot.ini") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="ntuser.dat") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="desktop.ini") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="CONFIG.SYS") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="RECYCLER") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="bootmgr") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="programdata") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="appdata") returned 1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="program files") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="program files (x86)") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="microsoft") returned -1 [0288.871] lstrcmpiW (lpString1="kl3uP560p7fcapWqM7X.mp3", lpString2="sophos") returned -1 [0288.871] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0288.871] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.871] PathFindExtensionW (pszPath="kl3uP560p7fcapWqM7X.mp3") returned=".mp3" [0288.871] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.871] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.871] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.871] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.872] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.872] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a5b4fe0, ftCreationTime.dwHighDateTime=0x1d5e9b2, ftLastAccessTime.dwLowDateTime=0x40c1e630, ftLastAccessTime.dwHighDateTime=0x1d5e6a1, ftLastWriteTime.dwLowDateTime=0x40c1e630, ftLastWriteTime.dwHighDateTime=0x1d5e6a1, nFileSizeHigh=0x0, nFileSizeLow=0xc793, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="X8B9i.mp3", cAlternateFileName="")) returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2=".") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="..") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="...") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="windows") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="rsa") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="NTDETECT.COM") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="ntldr") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="MSDOS.SYS") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="IO.SYS") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="boot.ini") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="ntuser.dat") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="desktop.ini") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="CONFIG.SYS") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="RECYCLER") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="bootmgr") returned 1 [0288.872] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="programdata") returned 1 [0288.873] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="appdata") returned 1 [0288.873] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="program files") returned 1 [0288.873] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="program files (x86)") returned 1 [0288.873] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="microsoft") returned 1 [0288.873] lstrcmpiW (lpString1="X8B9i.mp3", lpString2="sophos") returned 1 [0288.873] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0288.873] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.873] PathFindExtensionW (pszPath="X8B9i.mp3") returned=".mp3" [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.873] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.873] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a5b4fe0, ftCreationTime.dwHighDateTime=0x1d5e9b2, ftLastAccessTime.dwLowDateTime=0x40c1e630, ftLastAccessTime.dwHighDateTime=0x1d5e6a1, ftLastWriteTime.dwLowDateTime=0x40c1e630, ftLastWriteTime.dwHighDateTime=0x1d5e6a1, nFileSizeHigh=0x0, nFileSizeLow=0xc793, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="X8B9i.mp3", cAlternateFileName="")) returned 0 [0288.873] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0288.873] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.873] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.873] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.874] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ab6460, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0x211a2a0, ftLastAccessTime.dwHighDateTime=0x1d5eb32, ftLastWriteTime.dwLowDateTime=0x211a2a0, ftLastWriteTime.dwHighDateTime=0x1d5eb32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="cdPk3Q", cAlternateFileName="")) returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2=".") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="..") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="...") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="windows") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="$RECYCLE.BIN") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="rsa") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="NTDETECT.COM") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="ntldr") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="MSDOS.SYS") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="IO.SYS") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="boot.ini") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="AUTOEXEC.BAT") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="ntuser.dat") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="desktop.ini") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="CONFIG.SYS") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="RECYCLER") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="BOOTSECT.BAK") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="bootmgr") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="programdata") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="appdata") returned 1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="program files") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="program files (x86)") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="microsoft") returned -1 [0288.874] lstrcmpiW (lpString1="cdPk3Q", lpString2="sophos") returned -1 [0288.874] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.874] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.875] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.875] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0288.875] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0288.875] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ab6460, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0x211a2a0, ftLastAccessTime.dwHighDateTime=0x1d5eb32, ftLastWriteTime.dwLowDateTime=0x211a2a0, ftLastWriteTime.dwHighDateTime=0x1d5eb32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0288.875] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0288.875] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ab6460, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0x211a2a0, ftLastAccessTime.dwHighDateTime=0x1d5eb32, ftLastWriteTime.dwLowDateTime=0x211a2a0, ftLastWriteTime.dwHighDateTime=0x1d5eb32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="..", cAlternateFileName="")) returned 1 [0288.875] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0288.875] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0288.875] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83deb3c0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0x43339260, ftLastAccessTime.dwHighDateTime=0x1d5eb97, ftLastWriteTime.dwLowDateTime=0x43339260, ftLastWriteTime.dwHighDateTime=0x1d5eb97, nFileSizeHigh=0x0, nFileSizeLow=0x1436e, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="7Zg_4ZEmEEy4prlKDe.mp3", cAlternateFileName="7ZG_4Z~1.MP3")) returned 1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2=".") returned 1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="..") returned 1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="...") returned 1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="windows") returned -1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="rsa") returned -1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="NTDETECT.COM") returned -1 [0288.875] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="ntldr") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="MSDOS.SYS") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="IO.SYS") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="boot.ini") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="AUTOEXEC.BAT") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="ntuser.dat") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="desktop.ini") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="CONFIG.SYS") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="RECYCLER") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="BOOTSECT.BAK") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="bootmgr") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="programdata") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="appdata") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="program files") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="program files (x86)") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="microsoft") returned -1 [0288.876] lstrcmpiW (lpString1="7Zg_4ZEmEEy4prlKDe.mp3", lpString2="sophos") returned -1 [0288.876] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0288.876] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.876] PathFindExtensionW (pszPath="7Zg_4ZEmEEy4prlKDe.mp3") returned=".mp3" [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.876] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.877] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.877] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.877] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.877] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b620530, ftCreationTime.dwHighDateTime=0x1d5e4bb, ftLastAccessTime.dwLowDateTime=0x71ebafe0, ftLastAccessTime.dwHighDateTime=0x1d5eb9a, ftLastWriteTime.dwLowDateTime=0x71ebafe0, ftLastWriteTime.dwHighDateTime=0x1d5eb9a, nFileSizeHigh=0x0, nFileSizeLow=0x801, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="p-my37RLR.wav", cAlternateFileName="P-MY37~1.WAV")) returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2=".") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="..") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="...") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="windows") returned -1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="$RECYCLE.BIN") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="rsa") returned -1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="NTDETECT.COM") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="ntldr") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="MSDOS.SYS") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="IO.SYS") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="boot.ini") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="AUTOEXEC.BAT") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="ntuser.dat") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="desktop.ini") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="CONFIG.SYS") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="RECYCLER") returned -1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="BOOTSECT.BAK") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="bootmgr") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="programdata") returned -1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="appdata") returned 1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="program files") returned -1 [0288.877] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="program files (x86)") returned -1 [0288.878] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="microsoft") returned 1 [0288.878] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="sophos") returned -1 [0288.878] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0288.878] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.878] PathFindExtensionW (pszPath="p-my37RLR.wav") returned=".wav" [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0288.878] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0288.878] lstrcmpiW (lpString1="p-my37RLR.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.878] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0288.878] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\p-my37RLR.wav" (normalized: "c:\\users\\fd1hvy\\music\\cdpk3q\\p-my37rlr.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0288.879] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=2049) returned 1 [0288.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.879] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.879] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.879] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.879] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0288.880] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0288.880] GetTickCount () returned 0x11884ed [0288.880] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0288.880] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0288.880] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x801, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.881] SetLastError (dwErrCode=0x0) [0288.881] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0288.882] GetLastError () returned 0x0 [0288.882] GetLastError () returned 0x0 [0288.882] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x901, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.882] WriteFile (in: hFile=0x270, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0288.882] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa01, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.882] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd2813c4d, dwHighDateTime=0x1d5fd73)) [0288.882] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0288.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.882] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0288.882] GetProcessHeap () returned 0xa10000 [0288.882] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x801) returned 0xa34b88 [0288.882] GetSystemDefaultLangID () returned 0xa20409 [0288.882] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.882] ReadFile (in: hFile=0x270, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x801, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee94c*=0x801, lpOverlapped=0x0) returned 1 [0288.883] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.883] WriteFile (in: hFile=0x270, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x801, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee940*=0x801, lpOverlapped=0x0) returned 1 [0288.883] GetProcessHeap () returned 0xa10000 [0288.883] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0288.883] CloseHandle (hObject=0x270) returned 1 [0288.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0288.883] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\p-my37RLR.wav" (normalized: "c:\\users\\fd1hvy\\music\\cdpk3q\\p-my37rlr.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\p-my37RLR.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\cdpk3q\\p-my37rlr.wav.nefilim")) returned 1 [0288.884] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.884] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.884] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d5ef800, ftCreationTime.dwHighDateTime=0x1d5eb9d, ftLastAccessTime.dwLowDateTime=0x8f2c7a90, ftLastAccessTime.dwHighDateTime=0x1d5ee32, ftLastWriteTime.dwLowDateTime=0x8f2c7a90, ftLastWriteTime.dwHighDateTime=0x1d5ee32, nFileSizeHigh=0x0, nFileSizeLow=0xc383, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="zN2roaaVKD0.m4a", cAlternateFileName="ZN2ROA~1.M4A")) returned 1 [0288.884] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2=".") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="..") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="...") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="windows") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="rsa") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="NTDETECT.COM") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="ntldr") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="MSDOS.SYS") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="IO.SYS") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="boot.ini") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="ntuser.dat") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="desktop.ini") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="CONFIG.SYS") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="RECYCLER") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="bootmgr") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="programdata") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="appdata") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="program files") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="program files (x86)") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="microsoft") returned 1 [0288.885] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="sophos") returned 1 [0288.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0288.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.885] PathFindExtensionW (pszPath="zN2roaaVKD0.m4a") returned=".m4a" [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.886] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.886] lstrcmpiW (lpString1="zN2roaaVKD0.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.886] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0288.886] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\zN2roaaVKD0.m4a" (normalized: "c:\\users\\fd1hvy\\music\\cdpk3q\\zn2roaavkd0.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0288.887] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=50051) returned 1 [0288.887] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.887] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.887] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.887] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.887] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.887] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.887] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0288.887] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0288.889] GetTickCount () returned 0x11884ed [0288.889] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0288.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0288.889] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc383, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.890] SetLastError (dwErrCode=0x0) [0288.890] WriteFile (in: hFile=0x270, lpBuffer=0x2d207a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d207a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0288.891] GetLastError () returned 0x0 [0288.891] GetLastError () returned 0x0 [0288.891] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc483, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.939] WriteFile (in: hFile=0x270, lpBuffer=0x2d20dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20dd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0288.939] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc583, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.939] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd28ac438, dwHighDateTime=0x1d5fd73)) [0288.939] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0288.939] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.939] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0288.940] GetProcessHeap () returned 0xa10000 [0288.940] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xc383) returned 0xa3f6a8 [0288.941] GetSystemDefaultLangID () returned 0xa20409 [0288.941] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.941] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xc383, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xc383, lpOverlapped=0x0) returned 1 [0288.946] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.946] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xc383, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xc383, lpOverlapped=0x0) returned 1 [0288.947] GetProcessHeap () returned 0xa10000 [0288.947] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0288.947] CloseHandle (hObject=0x270) returned 1 [0288.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d207a8 | out: hHeap=0x28d0000) returned 1 [0288.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20dd8 | out: hHeap=0x28d0000) returned 1 [0288.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de078 | out: hHeap=0x28d0000) returned 1 [0288.947] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de168 | out: hHeap=0x28d0000) returned 1 [0288.947] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0288.947] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\zN2roaaVKD0.m4a" (normalized: "c:\\users\\fd1hvy\\music\\cdpk3q\\zn2roaavkd0.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\cdPk3Q\\zN2roaaVKD0.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\cdpk3q\\zn2roaavkd0.m4a.nefilim")) returned 1 [0288.948] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0288.948] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.948] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d5ef800, ftCreationTime.dwHighDateTime=0x1d5eb9d, ftLastAccessTime.dwLowDateTime=0x8f2c7a90, ftLastAccessTime.dwHighDateTime=0x1d5ee32, ftLastWriteTime.dwLowDateTime=0x8f2c7a90, ftLastWriteTime.dwHighDateTime=0x1d5ee32, nFileSizeHigh=0x0, nFileSizeLow=0xc383, dwReserved0=0x28de7c0, dwReserved1=0x7000000, cFileName="zN2roaaVKD0.m4a", cAlternateFileName="ZN2ROA~1.M4A")) returned 0 [0288.948] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0288.949] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0288.949] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.949] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.949] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ed2d270, ftCreationTime.dwHighDateTime=0x1d5ed54, ftLastAccessTime.dwLowDateTime=0x142e72a0, ftLastAccessTime.dwHighDateTime=0x1d5f100, ftLastWriteTime.dwLowDateTime=0x142e72a0, ftLastWriteTime.dwHighDateTime=0x1d5f100, nFileSizeHigh=0x0, nFileSizeLow=0x64a1, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="cXbzFI.m4a", cAlternateFileName="")) returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2=".") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="..") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="...") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="windows") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="$RECYCLE.BIN") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="rsa") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="NTDETECT.COM") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="ntldr") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="MSDOS.SYS") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="IO.SYS") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="boot.ini") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="ntuser.dat") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="desktop.ini") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="CONFIG.SYS") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="RECYCLER") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="BOOTSECT.BAK") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="bootmgr") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="programdata") returned -1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="appdata") returned 1 [0288.949] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="program files") returned -1 [0288.950] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="program files (x86)") returned -1 [0288.950] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="microsoft") returned -1 [0288.950] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="sophos") returned -1 [0288.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7b0 [0288.950] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.950] PathFindExtensionW (pszPath="cXbzFI.m4a") returned=".m4a" [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0288.950] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0288.950] lstrcmpiW (lpString1="cXbzFI.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0288.950] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0288.951] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\cXbzFI.m4a" (normalized: "c:\\users\\fd1hvy\\music\\cxbzfi.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0288.951] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=25761) returned 1 [0288.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0288.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.951] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0288.951] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.951] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0288.951] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eec08*=0x100) returned 1 [0288.952] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0288.954] GetTickCount () returned 0x118853b [0288.954] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0288.954] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0288.954] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x64a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.954] SetLastError (dwErrCode=0x0) [0288.954] WriteFile (in: hFile=0x26c, lpBuffer=0x2d21618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d21618*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.955] GetLastError () returned 0x0 [0288.955] GetLastError () returned 0x0 [0288.955] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x65a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.955] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20ee0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0288.955] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x66a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.956] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd28d2702, dwHighDateTime=0x1d5fd73)) [0288.956] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de808 [0288.956] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de808 | out: hHeap=0x28d0000) returned 1 [0288.956] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0288.956] GetProcessHeap () returned 0xa10000 [0288.956] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x64a1) returned 0xa3e6a0 [0288.957] GetSystemDefaultLangID () returned 0xa20409 [0288.957] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.958] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x64a1, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x64a1, lpOverlapped=0x0) returned 1 [0288.960] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0288.960] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x64a1, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x64a1, lpOverlapped=0x0) returned 1 [0288.960] GetProcessHeap () returned 0xa10000 [0288.960] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0288.960] CloseHandle (hObject=0x26c) returned 1 [0288.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d21618 | out: hHeap=0x28d0000) returned 1 [0288.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20ee0 | out: hHeap=0x28d0000) returned 1 [0288.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de180 | out: hHeap=0x28d0000) returned 1 [0288.960] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ddfe8 | out: hHeap=0x28d0000) returned 1 [0288.960] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de808 [0288.960] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\cXbzFI.m4a" (normalized: "c:\\users\\fd1hvy\\music\\cxbzfi.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\cXbzFI.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\cxbzfi.m4a.nefilim")) returned 1 [0288.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de808 | out: hHeap=0x28d0000) returned 1 [0288.961] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.961] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0288.962] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0288.962] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85edfa10, ftCreationTime.dwHighDateTime=0x1d5e957, ftLastAccessTime.dwLowDateTime=0xc72f35c0, ftLastAccessTime.dwHighDateTime=0x1d5e597, ftLastWriteTime.dwLowDateTime=0xc72f35c0, ftLastWriteTime.dwHighDateTime=0x1d5e597, nFileSizeHigh=0x0, nFileSizeLow=0x35fd, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="jcPPi1M.mp3", cAlternateFileName="")) returned 1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2=".") returned 1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="..") returned 1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="...") returned 1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="windows") returned -1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="$RECYCLE.BIN") returned 1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="rsa") returned -1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="NTDETECT.COM") returned -1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="ntldr") returned -1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="MSDOS.SYS") returned -1 [0288.962] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="IO.SYS") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="boot.ini") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="ntuser.dat") returned -1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="desktop.ini") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="CONFIG.SYS") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="RECYCLER") returned -1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="BOOTSECT.BAK") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="bootmgr") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="programdata") returned -1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="appdata") returned 1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="program files") returned -1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="program files (x86)") returned -1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="microsoft") returned -1 [0288.963] lstrcmpiW (lpString1="jcPPi1M.mp3", lpString2="sophos") returned -1 [0288.963] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0288.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.963] PathFindExtensionW (pszPath="jcPPi1M.mp3") returned=".mp3" [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0288.963] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0288.964] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0288.964] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0288.964] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0288.964] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85edfa10, ftCreationTime.dwHighDateTime=0x1d5e957, ftLastAccessTime.dwLowDateTime=0xc72f35c0, ftLastAccessTime.dwHighDateTime=0x1d5e597, ftLastWriteTime.dwLowDateTime=0xc72f35c0, ftLastWriteTime.dwHighDateTime=0x1d5e597, nFileSizeHigh=0x0, nFileSizeLow=0x35fd, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="jcPPi1M.mp3", cAlternateFileName="")) returned 0 [0288.964] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0288.964] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.964] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a0 | out: hHeap=0x28d0000) returned 1 [0288.964] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de968 | out: hHeap=0x28d0000) returned 1 [0288.964] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="$RECYCLE.BIN") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="NTDETECT.COM") returned -1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="ntldr") returned -1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="MSDOS.SYS") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="IO.SYS") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="boot.ini") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="AUTOEXEC.BAT") returned 1 [0288.964] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="desktop.ini") returned 1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="CONFIG.SYS") returned 1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="RECYCLER") returned -1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="BOOTSECT.BAK") returned 1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="microsoft") returned 1 [0288.965] lstrcmpiW (lpString1="My Documents", lpString2="sophos") returned -1 [0288.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf0 | out: hHeap=0x28d0000) returned 1 [0288.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0288.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0288.965] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\My Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x85edfa10, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0xc72f35c0, ftLastAccessTime.dwHighDateTime=0x1d5e597, ftLastWriteTime.dwLowDateTime=0xc72f35c0, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x35fd, dwReserved0=0xa0000003, dwReserved1=0x18000119, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ:")) returned 0xffffffff [0288.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0288.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0288.966] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.966] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="NetHood", cAlternateFileName="")) returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="$RECYCLE.BIN") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="NTDETECT.COM") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="ntldr") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="MSDOS.SYS") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="IO.SYS") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="boot.ini") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="AUTOEXEC.BAT") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="desktop.ini") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="CONFIG.SYS") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="RECYCLER") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="BOOTSECT.BAK") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="microsoft") returned 1 [0288.966] lstrcmpiW (lpString1="NetHood", lpString2="sophos") returned -1 [0288.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0288.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28de768 [0288.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0288.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b8 [0288.967] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de800 [0288.967] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\NetHood\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x85edfa10, ftCreationTime.dwHighDateTime=0x2000002, ftLastAccessTime.dwLowDateTime=0xc72f35c0, ftLastAccessTime.dwHighDateTime=0x1c00001c, ftLastWriteTime.dwLowDateTime=0xc72f35c0, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x35fd, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ0")) returned 0xffffffff [0288.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de800 | out: hHeap=0x28d0000) returned 1 [0288.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b8 | out: hHeap=0x28d0000) returned 1 [0288.967] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.967] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x6c4d382c, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6c4d382c, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$RECYCLE.BIN") returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTDETECT.COM") returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntldr") returned 1 [0288.967] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="MSDOS.SYS") returned 1 [0288.968] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="IO.SYS") returned 1 [0288.968] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot.ini") returned 1 [0288.968] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0288.968] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0288.968] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="...") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="windows") returned -1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="rsa") returned -1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTDETECT.COM") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntldr") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="MSDOS.SYS") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="IO.SYS") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot.ini") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="desktop.ini") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="CONFIG.SYS") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="RECYCLER") returned -1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="BOOTSECT.BAK") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootmgr") returned 1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="programdata") returned -1 [0288.968] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="appdata") returned 1 [0288.969] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files") returned -1 [0288.969] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files (x86)") returned -1 [0288.969] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="microsoft") returned 1 [0288.969] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="sophos") returned -1 [0288.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.969] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.969] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0288.969] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0288.969] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0288.969] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0288.969] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0288.969] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0288.969] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".NEFILIM") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0288.970] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0288.970] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.970] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.970] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0288.971] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0288.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de030 [0288.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28ddfe8 [0288.971] SystemFunction036 (in: RandomBuffer=0x28de030, RandomBufferLength=0x10 | out: RandomBuffer=0x28de030) returned 1 [0288.971] SystemFunction036 (in: RandomBuffer=0x28ddfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x28ddfe8) returned 1 [0288.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21618 [0288.971] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21828 [0288.971] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21618*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21618*, pdwDataLen=0x26eef28*=0x100) returned 1 [0288.971] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21828*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21828*, pdwDataLen=0x26eef24*=0x100) returned 1 [0288.972] GetTickCount () returned 0x118854b [0288.972] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0288.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0288.972] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0288.972] SetLastError (dwErrCode=0x0) [0288.972] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d21618, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0288.972] GetLastError () returned 0x6 [0288.972] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.972] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0288.972] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0288.972] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0288.972] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="...") returned 1 [0288.972] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="windows") returned -1 [0288.972] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="rsa") returned -1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTDETECT.COM") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntldr") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="MSDOS.SYS") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="IO.SYS") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot.ini") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="desktop.ini") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="CONFIG.SYS") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="RECYCLER") returned -1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="BOOTSECT.BAK") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootmgr") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="programdata") returned -1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="appdata") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files") returned -1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files (x86)") returned -1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="microsoft") returned 1 [0288.973] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="sophos") returned -1 [0288.973] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0288.973] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.973] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0288.973] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0288.973] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0288.973] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".NEFILIM") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0288.974] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0288.974] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0288.974] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG2" (normalized: "c:\\users\\fd1hvy\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0288.974] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0288.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de000 [0288.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de078 [0288.975] SystemFunction036 (in: RandomBuffer=0x28de000, RandomBufferLength=0x10 | out: RandomBuffer=0x28de000) returned 1 [0288.975] SystemFunction036 (in: RandomBuffer=0x28de078, RandomBufferLength=0x10 | out: RandomBuffer=0x28de078) returned 1 [0288.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d207a8 [0288.975] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20dd8 [0288.975] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d207a8*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d207a8*, pdwDataLen=0x26eef28*=0x100) returned 1 [0288.977] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d20dd8*, pdwDataLen=0x26eef24*=0x100) returned 1 [0288.979] GetTickCount () returned 0x118854b [0288.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de930 [0288.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de930 | out: hHeap=0x28d0000) returned 1 [0288.979] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0288.979] SetLastError (dwErrCode=0x0) [0288.979] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d207a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0288.979] GetLastError () returned 0x6 [0288.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0288.979] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0288.979] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0288.979] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0288.979] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="...") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="rsa") returned -1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntldr") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="IO.SYS") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot.ini") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntuser.dat") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="desktop.ini") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="RECYCLER") returned -1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="programdata") returned -1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="appdata") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files") returned -1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files (x86)") returned -1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="microsoft") returned 1 [0288.980] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="sophos") returned -1 [0288.980] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28de7b0 [0288.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0288.980] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned=".blf" [0288.980] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0288.980] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".NEFILIM") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0288.981] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0288.981] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0288.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbcc0 [0288.981] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0288.982] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0288.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de0c0 [0288.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de168 [0288.982] SystemFunction036 (in: RandomBuffer=0x28de0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de0c0) returned 1 [0288.982] SystemFunction036 (in: RandomBuffer=0x28de168, RandomBufferLength=0x10 | out: RandomBuffer=0x28de168) returned 1 [0288.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20ee0 [0288.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21c48 [0288.982] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20ee0*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d20ee0*, pdwDataLen=0x26eef28*=0x100) returned 1 [0288.984] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21c48*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21c48*, pdwDataLen=0x26eef24*=0x100) returned 1 [0289.088] GetTickCount () returned 0x11885b8 [0289.088] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0289.088] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0289.088] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0289.088] SetLastError (dwErrCode=0x0) [0289.088] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20ee0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0289.088] GetLastError () returned 0x6 [0289.088] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.088] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0289.088] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0289.088] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0289.088] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0289.088] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0289.088] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0289.088] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="microsoft") returned 1 [0289.089] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="sophos") returned -1 [0289.089] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbcc0 [0289.089] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0289.089] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0289.089] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de390 [0289.089] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0289.089] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0289.089] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0289.090] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0289.090] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0289.090] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbda8 [0289.090] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0289.091] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0289.091] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de180 [0289.091] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2d0 [0289.091] SystemFunction036 (in: RandomBuffer=0x28de180, RandomBufferLength=0x10 | out: RandomBuffer=0x28de180) returned 1 [0289.091] SystemFunction036 (in: RandomBuffer=0x28de2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2d0) returned 1 [0289.091] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21a38 [0289.091] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21930 [0289.091] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21a38*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21a38*, pdwDataLen=0x26eef28*=0x100) returned 1 [0289.093] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21930*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21930*, pdwDataLen=0x26eef24*=0x100) returned 1 [0289.095] GetTickCount () returned 0x11885c8 [0289.095] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a0 [0289.096] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a0 | out: hHeap=0x28d0000) returned 1 [0289.096] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0289.096] SetLastError (dwErrCode=0x0) [0289.096] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d21a38, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0289.096] GetLastError () returned 0x6 [0289.096] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0289.096] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de390 | out: hHeap=0x28d0000) returned 1 [0289.096] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0289.096] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="microsoft") returned 1 [0289.097] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="sophos") returned -1 [0289.097] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbda8 [0289.097] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.097] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0289.097] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de610 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0289.097] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0289.098] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0289.098] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0289.098] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0289.098] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0289.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dbcc0 [0289.098] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0289.098] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=440599260887424) returned 0 [0289.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de240 [0289.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2e8 [0289.098] SystemFunction036 (in: RandomBuffer=0x28de240, RandomBufferLength=0x10 | out: RandomBuffer=0x28de240) returned 1 [0289.098] SystemFunction036 (in: RandomBuffer=0x28de2e8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2e8) returned 1 [0289.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21b40 [0289.098] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d21d50 [0289.098] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21b40*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d21b40*, pdwDataLen=0x26eef28*=0x100) returned 1 [0289.100] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d21d50*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d21d50*, pdwDataLen=0x26eef24*=0x100) returned 1 [0289.103] GetTickCount () returned 0x11885c8 [0289.103] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0289.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0289.103] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0289.103] SetLastError (dwErrCode=0x0) [0289.103] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d21b40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0) returned 0 [0289.103] GetLastError () returned 0x6 [0289.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.103] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de610 | out: hHeap=0x28d0000) returned 1 [0289.103] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="...") returned 1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="$RECYCLE.BIN") returned 1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="rsa") returned -1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTDETECT.COM") returned 1 [0289.103] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntldr") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="MSDOS.SYS") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="IO.SYS") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot.ini") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="AUTOEXEC.BAT") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="desktop.ini") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="CONFIG.SYS") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="RECYCLER") returned -1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="BOOTSECT.BAK") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootmgr") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="programdata") returned -1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="appdata") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files") returned -1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files (x86)") returned -1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="microsoft") returned 1 [0289.104] lstrcmpiW (lpString1="ntuser.ini", lpString2="sophos") returned -1 [0289.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0289.104] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda8 | out: hHeap=0x28d0000) returned 1 [0289.104] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0289.104] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0289.105] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2=".") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="..") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="...") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="windows") returned -1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="$RECYCLE.BIN") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="rsa") returned -1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="NTDETECT.COM") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="ntldr") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="MSDOS.SYS") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="IO.SYS") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="boot.ini") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="AUTOEXEC.BAT") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="ntuser.dat") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="desktop.ini") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="CONFIG.SYS") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="RECYCLER") returned -1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="BOOTSECT.BAK") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="bootmgr") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="programdata") returned -1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="appdata") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="program files") returned -1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="program files (x86)") returned -1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="microsoft") returned 1 [0289.105] lstrcmpiW (lpString1="OneDrive", lpString2="sophos") returned -1 [0289.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0289.106] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0289.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0289.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0289.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0289.106] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0289.106] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0289.106] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="..", cAlternateFileName="")) returned 1 [0289.106] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0289.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0289.106] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0289.106] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0289.106] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0289.106] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0289.106] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0289.106] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0289.107] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0289.107] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0289.107] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0289.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0289.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0289.107] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe7875919, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe7875919, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Pictures", cAlternateFileName="")) returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0289.107] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="microsoft") returned 1 [0289.108] lstrcmpiW (lpString1="Pictures", lpString2="sophos") returned -1 [0289.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0289.108] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0289.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0289.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0289.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0289.108] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe7875919, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe7875919, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName=".", cAlternateFileName="")) returned 0xa2f460 [0289.109] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0289.109] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe7875919, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe7875919, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="..", cAlternateFileName="")) returned 1 [0289.109] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0289.109] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0289.109] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x697155f0, ftCreationTime.dwHighDateTime=0x1d5e7c0, ftLastAccessTime.dwLowDateTime=0x98efa920, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0x98efa920, ftLastWriteTime.dwHighDateTime=0x1d5f054, nFileSizeHigh=0x0, nFileSizeLow=0x6f6a, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="1V02nndSA3bK9.png", cAlternateFileName="1V02NN~1.PNG")) returned 1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2=".") returned 1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="..") returned 1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="...") returned 1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="windows") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="$RECYCLE.BIN") returned 1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="rsa") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="NTDETECT.COM") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="ntldr") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="MSDOS.SYS") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="IO.SYS") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="boot.ini") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="AUTOEXEC.BAT") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="ntuser.dat") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="desktop.ini") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="CONFIG.SYS") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="RECYCLER") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="BOOTSECT.BAK") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="bootmgr") returned -1 [0289.109] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="programdata") returned -1 [0289.110] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="appdata") returned -1 [0289.151] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="program files") returned -1 [0289.151] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="program files (x86)") returned -1 [0289.151] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="microsoft") returned -1 [0289.151] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="sophos") returned -1 [0289.151] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0289.151] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.151] PathFindExtensionW (pszPath="1V02nndSA3bK9.png") returned=".png" [0289.151] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0289.151] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0289.152] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0289.152] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0289.152] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0289.152] lstrcmpiW (lpString1="1V02nndSA3bK9.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.152] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0289.152] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\1V02nndSA3bK9.png" (normalized: "c:\\users\\fd1hvy\\pictures\\1v02nndsa3bk9.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.152] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=28522) returned 1 [0289.152] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0289.152] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.152] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0289.152] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.152] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.153] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22288 [0289.153] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.153] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22288*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22288*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.155] GetTickCount () returned 0x11885f7 [0289.155] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea10 [0289.155] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea10 | out: hHeap=0x28d0000) returned 1 [0289.155] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6f6a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.155] SetLastError (dwErrCode=0x0) [0289.155] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.158] GetLastError () returned 0x0 [0289.158] GetLastError () returned 0x0 [0289.158] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x706a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.158] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22288*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.158] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x716a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.158] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2ac2670, dwHighDateTime=0x1d5fd73)) [0289.158] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0289.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.158] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.158] GetProcessHeap () returned 0xa10000 [0289.158] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x6f6a) returned 0xa3e6a0 [0289.160] GetSystemDefaultLangID () returned 0xa20409 [0289.160] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.160] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x6f6a, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x6f6a, lpOverlapped=0x0) returned 1 [0289.162] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.162] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x6f6a, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x6f6a, lpOverlapped=0x0) returned 1 [0289.162] GetProcessHeap () returned 0xa10000 [0289.162] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.163] CloseHandle (hObject=0x26c) returned 1 [0289.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22288 | out: hHeap=0x28d0000) returned 1 [0289.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de288 | out: hHeap=0x28d0000) returned 1 [0289.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.163] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0289.163] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\1V02nndSA3bK9.png" (normalized: "c:\\users\\fd1hvy\\pictures\\1v02nndsa3bk9.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\1V02nndSA3bK9.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\1v02nndsa3bk9.png.nefilim")) returned 1 [0289.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.164] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99333440, ftCreationTime.dwHighDateTime=0x1d5e6b0, ftLastAccessTime.dwLowDateTime=0x7583d710, ftLastAccessTime.dwHighDateTime=0x1d5e4d1, ftLastWriteTime.dwLowDateTime=0x7583d710, ftLastWriteTime.dwHighDateTime=0x1d5e4d1, nFileSizeHigh=0x0, nFileSizeLow=0x18378, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="3VE cc52V8pZdgeOo.gif", cAlternateFileName="3VECC5~1.GIF")) returned 1 [0289.164] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2=".") returned 1 [0289.164] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="..") returned 1 [0289.164] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="...") returned 1 [0289.164] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="windows") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="rsa") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="NTDETECT.COM") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="ntldr") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="MSDOS.SYS") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="IO.SYS") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="boot.ini") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="AUTOEXEC.BAT") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="ntuser.dat") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="desktop.ini") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="CONFIG.SYS") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="RECYCLER") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="BOOTSECT.BAK") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="bootmgr") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="programdata") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="appdata") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="program files") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="program files (x86)") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="microsoft") returned -1 [0289.165] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="sophos") returned -1 [0289.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0289.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.165] PathFindExtensionW (pszPath="3VE cc52V8pZdgeOo.gif") returned=".gif" [0289.165] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.165] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.165] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.165] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.166] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.166] lstrcmpiW (lpString1="3VE cc52V8pZdgeOo.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0289.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\3VE cc52V8pZdgeOo.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\3ve cc52v8pzdgeoo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.166] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=99192) returned 1 [0289.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0289.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.166] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0289.167] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.167] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.167] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0289.167] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.169] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.171] GetTickCount () returned 0x1188606 [0289.171] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea48 [0289.171] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea48 | out: hHeap=0x28d0000) returned 1 [0289.171] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18378, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.171] SetLastError (dwErrCode=0x0) [0289.171] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.172] GetLastError () returned 0x0 [0289.172] GetLastError () returned 0x0 [0289.172] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18478, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.172] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.172] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.172] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2ae88a2, dwHighDateTime=0x1d5fd73)) [0289.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0289.172] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.172] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.172] GetProcessHeap () returned 0xa10000 [0289.172] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x18378) returned 0xa3e6a0 [0289.173] GetSystemDefaultLangID () returned 0xa20409 [0289.173] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.173] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x18378, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x18378, lpOverlapped=0x0) returned 1 [0289.179] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.180] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x18378, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x18378, lpOverlapped=0x0) returned 1 [0289.180] GetProcessHeap () returned 0xa10000 [0289.180] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.180] CloseHandle (hObject=0x26c) returned 1 [0289.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0289.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de288 | out: hHeap=0x28d0000) returned 1 [0289.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0289.180] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\3VE cc52V8pZdgeOo.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\3ve cc52v8pzdgeoo.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\3VE cc52V8pZdgeOo.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\3ve cc52v8pzdgeoo.gif.nefilim")) returned 1 [0289.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.181] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6676980, ftCreationTime.dwHighDateTime=0x1d5e1ad, ftLastAccessTime.dwLowDateTime=0x97e30660, ftLastAccessTime.dwHighDateTime=0x1d5ee2b, ftLastWriteTime.dwLowDateTime=0x97e30660, ftLastWriteTime.dwHighDateTime=0x1d5ee2b, nFileSizeHigh=0x0, nFileSizeLow=0x139df, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="4HcX.png", cAlternateFileName="")) returned 1 [0289.181] lstrcmpiW (lpString1="4HcX.png", lpString2=".") returned 1 [0289.181] lstrcmpiW (lpString1="4HcX.png", lpString2="..") returned 1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="...") returned 1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="windows") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="$RECYCLE.BIN") returned 1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="rsa") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="NTDETECT.COM") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="ntldr") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="MSDOS.SYS") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="IO.SYS") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="boot.ini") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="AUTOEXEC.BAT") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="ntuser.dat") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="desktop.ini") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="CONFIG.SYS") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="RECYCLER") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="BOOTSECT.BAK") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="bootmgr") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="programdata") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="appdata") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="program files") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="program files (x86)") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="microsoft") returned -1 [0289.182] lstrcmpiW (lpString1="4HcX.png", lpString2="sophos") returned -1 [0289.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.183] PathFindExtensionW (pszPath="4HcX.png") returned=".png" [0289.183] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0289.183] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0289.183] lstrcmpiW (lpString1="4HcX.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.183] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\4HcX.png" (normalized: "c:\\users\\fd1hvy\\pictures\\4hcx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.183] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=80351) returned 1 [0289.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0289.184] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.184] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0289.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0289.184] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.184] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.185] GetTickCount () returned 0x1188616 [0289.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9d8 [0289.185] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9d8 | out: hHeap=0x28d0000) returned 1 [0289.185] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x139df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.185] SetLastError (dwErrCode=0x0) [0289.185] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.186] GetLastError () returned 0x0 [0289.186] GetLastError () returned 0x0 [0289.186] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13adf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.186] WriteFile (in: hFile=0x26c, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.186] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13bdf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.186] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2ae88a2, dwHighDateTime=0x1d5fd73)) [0289.186] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.186] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.186] GetProcessHeap () returned 0xa10000 [0289.186] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x139df) returned 0xa3e6a0 [0289.186] GetSystemDefaultLangID () returned 0xa20409 [0289.186] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.186] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x139df, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x139df, lpOverlapped=0x0) returned 1 [0289.208] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.208] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x139df, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x139df, lpOverlapped=0x0) returned 1 [0289.208] GetProcessHeap () returned 0xa10000 [0289.208] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.208] CloseHandle (hObject=0x26c) returned 1 [0289.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0289.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.209] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0289.209] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0289.209] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\4HcX.png" (normalized: "c:\\users\\fd1hvy\\pictures\\4hcx.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\4HcX.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\4hcx.png.nefilim")) returned 1 [0289.210] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.210] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.210] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e08c40, ftCreationTime.dwHighDateTime=0x1d5ef75, ftLastAccessTime.dwLowDateTime=0x248867d0, ftLastAccessTime.dwHighDateTime=0x1d5e1e4, ftLastWriteTime.dwLowDateTime=0x248867d0, ftLastWriteTime.dwHighDateTime=0x1d5e1e4, nFileSizeHigh=0x0, nFileSizeLow=0xa571, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="9Nj2acIInGXyxl.jpg", cAlternateFileName="9NJ2AC~1.JPG")) returned 1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2=".") returned 1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="..") returned 1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="...") returned 1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="windows") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="$RECYCLE.BIN") returned 1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="rsa") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="NTDETECT.COM") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="ntldr") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="MSDOS.SYS") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="IO.SYS") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="boot.ini") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="ntuser.dat") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="desktop.ini") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="CONFIG.SYS") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="RECYCLER") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="BOOTSECT.BAK") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="bootmgr") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="programdata") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="appdata") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="program files") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="program files (x86)") returned -1 [0289.210] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="microsoft") returned -1 [0289.211] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="sophos") returned -1 [0289.211] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0289.211] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.211] PathFindExtensionW (pszPath="9Nj2acIInGXyxl.jpg") returned=".jpg" [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0289.211] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0289.211] lstrcmpiW (lpString1="9Nj2acIInGXyxl.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.211] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0289.211] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\9Nj2acIInGXyxl.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\9nj2aciingxyxl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.212] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=42353) returned 1 [0289.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0289.212] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.212] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0289.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0289.212] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.212] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.214] GetTickCount () returned 0x1188635 [0289.214] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a0 [0289.214] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a0 | out: hHeap=0x28d0000) returned 1 [0289.215] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa571, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.215] SetLastError (dwErrCode=0x0) [0289.215] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.216] GetLastError () returned 0x0 [0289.216] GetLastError () returned 0x0 [0289.216] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa671, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.216] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.216] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa771, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.216] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2b34a49, dwHighDateTime=0x1d5fd73)) [0289.216] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0289.216] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.216] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.216] GetProcessHeap () returned 0xa10000 [0289.216] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa571) returned 0xa3e6a0 [0289.218] GetSystemDefaultLangID () returned 0xa20409 [0289.218] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.218] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xa571, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xa571, lpOverlapped=0x0) returned 1 [0289.236] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.236] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xa571, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xa571, lpOverlapped=0x0) returned 1 [0289.236] GetProcessHeap () returned 0xa10000 [0289.237] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.237] CloseHandle (hObject=0x26c) returned 1 [0289.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0289.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0289.237] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0289.237] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\9Nj2acIInGXyxl.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\9nj2aciingxyxl.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\9Nj2acIInGXyxl.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\9nj2aciingxyxl.jpg.nefilim")) returned 1 [0289.238] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.238] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.238] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2=".") returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="..") returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="...") returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="windows") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="$RECYCLE.BIN") returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="rsa") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="NTDETECT.COM") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="ntldr") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="MSDOS.SYS") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="IO.SYS") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="boot.ini") returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="AUTOEXEC.BAT") returned 1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="ntuser.dat") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="desktop.ini") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="CONFIG.SYS") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="RECYCLER") returned -1 [0289.238] lstrcmpiW (lpString1="Camera Roll", lpString2="BOOTSECT.BAK") returned 1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="bootmgr") returned 1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="programdata") returned -1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="appdata") returned 1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="program files") returned -1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="program files (x86)") returned -1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="microsoft") returned -1 [0289.239] lstrcmpiW (lpString1="Camera Roll", lpString2="sophos") returned -1 [0289.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.239] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0289.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0289.239] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x1000000, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0289.241] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0289.241] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x1000000, cFileName="..", cAlternateFileName="")) returned 1 [0289.241] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0289.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0289.241] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x28dbcc0, dwReserved1=0x1000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0289.241] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0289.242] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x28dbcc0, dwReserved1=0x1000000, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0289.242] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0289.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0289.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.242] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.242] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0289.242] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0289.243] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55650560, ftCreationTime.dwHighDateTime=0x1d5ef00, ftLastAccessTime.dwLowDateTime=0xe8d3bef0, ftLastAccessTime.dwHighDateTime=0x1d5eb80, ftLastWriteTime.dwLowDateTime=0xe8d3bef0, ftLastWriteTime.dwHighDateTime=0x1d5eb80, nFileSizeHigh=0x0, nFileSizeLow=0xfea9, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="hSDePUmjHT.gif", cAlternateFileName="HSDEPU~1.GIF")) returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2=".") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="..") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="...") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="windows") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="rsa") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="NTDETECT.COM") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="ntldr") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="MSDOS.SYS") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="IO.SYS") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="boot.ini") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="AUTOEXEC.BAT") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="ntuser.dat") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="desktop.ini") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="CONFIG.SYS") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="RECYCLER") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="BOOTSECT.BAK") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="bootmgr") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="programdata") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="appdata") returned 1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="program files") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="program files (x86)") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="microsoft") returned -1 [0289.243] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="sophos") returned -1 [0289.243] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.243] PathFindExtensionW (pszPath="hSDePUmjHT.gif") returned=".gif" [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.244] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.244] lstrcmpiW (lpString1="hSDePUmjHT.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.244] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\hSDePUmjHT.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\hsdepumjht.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.245] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=65193) returned 1 [0289.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0289.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.245] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0289.245] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.245] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23410 [0289.245] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.245] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23410*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23410*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.246] GetTickCount () returned 0x1188654 [0289.246] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0289.246] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0289.246] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xfea9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.246] SetLastError (dwErrCode=0x0) [0289.246] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.247] GetLastError () returned 0x0 [0289.247] GetLastError () returned 0x0 [0289.247] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xffa9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.247] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23410*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.247] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x100a9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.247] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2b8112a, dwHighDateTime=0x1d5fd73)) [0289.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.247] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.247] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.248] GetProcessHeap () returned 0xa10000 [0289.248] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xfea9) returned 0xa3e6a0 [0289.248] GetSystemDefaultLangID () returned 0xa20409 [0289.248] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.248] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xfea9, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xfea9, lpOverlapped=0x0) returned 1 [0289.253] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.253] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xfea9, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xfea9, lpOverlapped=0x0) returned 1 [0289.254] GetProcessHeap () returned 0xa10000 [0289.254] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.254] CloseHandle (hObject=0x26c) returned 1 [0289.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23410 | out: hHeap=0x28d0000) returned 1 [0289.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2a0 | out: hHeap=0x28d0000) returned 1 [0289.254] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.254] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0289.254] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\hSDePUmjHT.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\hsdepumjht.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\hSDePUmjHT.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\hsdepumjht.gif.nefilim")) returned 1 [0289.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.255] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.255] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85d3e4b0, ftCreationTime.dwHighDateTime=0x1d5ecc0, ftLastAccessTime.dwLowDateTime=0xdb7e6f00, ftLastAccessTime.dwHighDateTime=0x1d5e376, ftLastWriteTime.dwLowDateTime=0xdb7e6f00, ftLastWriteTime.dwHighDateTime=0x1d5e376, nFileSizeHigh=0x0, nFileSizeLow=0x4d95, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="igFC bp2l.png", cAlternateFileName="IGFCBP~1.PNG")) returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2=".") returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="..") returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="...") returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="windows") returned -1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="$RECYCLE.BIN") returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="rsa") returned -1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="NTDETECT.COM") returned -1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="ntldr") returned -1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="MSDOS.SYS") returned -1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="IO.SYS") returned -1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="boot.ini") returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="AUTOEXEC.BAT") returned 1 [0289.255] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="ntuser.dat") returned -1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="desktop.ini") returned 1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="CONFIG.SYS") returned 1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="RECYCLER") returned -1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="BOOTSECT.BAK") returned 1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="bootmgr") returned 1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="programdata") returned -1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="appdata") returned 1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="program files") returned -1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="program files (x86)") returned -1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="microsoft") returned -1 [0289.256] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="sophos") returned -1 [0289.256] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.256] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.256] PathFindExtensionW (pszPath="igFC bp2l.png") returned=".png" [0289.256] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0289.256] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0289.257] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0289.257] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0289.257] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0289.257] lstrcmpiW (lpString1="igFC bp2l.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.257] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\igFC bp2l.png" (normalized: "c:\\users\\fd1hvy\\pictures\\igfc bp2l.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.257] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=19861) returned 1 [0289.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0289.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0289.257] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0289.257] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0289.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.257] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22de0 [0289.257] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.258] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22de0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22de0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.258] GetTickCount () returned 0x1188664 [0289.258] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0289.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0289.258] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4d95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.258] SetLastError (dwErrCode=0x0) [0289.258] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.259] GetLastError () returned 0x0 [0289.259] GetLastError () returned 0x0 [0289.259] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4e95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.259] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22de0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.259] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4f95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.260] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2ba73d8, dwHighDateTime=0x1d5fd73)) [0289.260] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.260] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.260] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.260] GetProcessHeap () returned 0xa10000 [0289.260] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4d95) returned 0xa3e6a0 [0289.260] GetSystemDefaultLangID () returned 0xa20409 [0289.260] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.260] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x4d95, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x4d95, lpOverlapped=0x0) returned 1 [0289.261] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.261] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x4d95, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x4d95, lpOverlapped=0x0) returned 1 [0289.261] GetProcessHeap () returned 0xa10000 [0289.261] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.261] CloseHandle (hObject=0x26c) returned 1 [0289.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22de0 | out: hHeap=0x28d0000) returned 1 [0289.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0289.262] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de288 | out: hHeap=0x28d0000) returned 1 [0289.262] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0289.262] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\igFC bp2l.png" (normalized: "c:\\users\\fd1hvy\\pictures\\igfc bp2l.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\igFC bp2l.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\igfc bp2l.png.nefilim")) returned 1 [0289.263] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.263] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.263] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3ea4a50, ftCreationTime.dwHighDateTime=0x1d5e307, ftLastAccessTime.dwLowDateTime=0xf2e536f0, ftLastAccessTime.dwHighDateTime=0x1d5e412, ftLastWriteTime.dwLowDateTime=0xf2e536f0, ftLastWriteTime.dwHighDateTime=0x1d5e412, nFileSizeHigh=0x0, nFileSizeLow=0x14aa4, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="J6wjS5FPFsseKbkwor9T.gif", cAlternateFileName="J6WJS5~1.GIF")) returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2=".") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="..") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="...") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="windows") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="rsa") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="NTDETECT.COM") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="ntldr") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="MSDOS.SYS") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="IO.SYS") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="boot.ini") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="AUTOEXEC.BAT") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="ntuser.dat") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="desktop.ini") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="CONFIG.SYS") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="RECYCLER") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="BOOTSECT.BAK") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="bootmgr") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="programdata") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="appdata") returned 1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="program files") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="program files (x86)") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="microsoft") returned -1 [0289.263] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="sophos") returned -1 [0289.264] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de7f8 [0289.264] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.264] PathFindExtensionW (pszPath="J6wjS5FPFsseKbkwor9T.gif") returned=".gif" [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.264] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.264] lstrcmpiW (lpString1="J6wjS5FPFsseKbkwor9T.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.264] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0289.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\J6wjS5FPFsseKbkwor9T.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\j6wjs5fpfssekbkwor9t.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.265] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=84644) returned 1 [0289.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0289.265] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.265] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0289.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.265] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d228b8 [0289.265] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.265] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d228b8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d228b8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.266] GetTickCount () returned 0x1188664 [0289.266] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0289.266] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0289.266] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14aa4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.266] SetLastError (dwErrCode=0x0) [0289.336] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.338] GetLastError () returned 0x0 [0289.338] GetLastError () returned 0x0 [0289.338] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14ba4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.338] WriteFile (in: hFile=0x26c, lpBuffer=0x2d228b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d228b8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.338] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14ca4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.338] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2c65eb5, dwHighDateTime=0x1d5fd73)) [0289.338] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd38 [0289.338] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0289.338] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.338] GetProcessHeap () returned 0xa10000 [0289.338] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14aa4) returned 0xa3e6a0 [0289.338] GetSystemDefaultLangID () returned 0xa20409 [0289.338] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.338] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x14aa4, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x14aa4, lpOverlapped=0x0) returned 1 [0289.344] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.344] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x14aa4, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x14aa4, lpOverlapped=0x0) returned 1 [0289.345] GetProcessHeap () returned 0xa10000 [0289.345] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.345] CloseHandle (hObject=0x26c) returned 1 [0289.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d228b8 | out: hHeap=0x28d0000) returned 1 [0289.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.345] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0289.345] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0289.345] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\J6wjS5FPFsseKbkwor9T.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\j6wjs5fpfssekbkwor9t.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\J6wjS5FPFsseKbkwor9T.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\j6wjs5fpfssekbkwor9t.gif.nefilim")) returned 1 [0289.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0289.346] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.346] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53d0b4f0, ftCreationTime.dwHighDateTime=0x1d5ec3b, ftLastAccessTime.dwLowDateTime=0xf31fe0, ftLastAccessTime.dwHighDateTime=0x1d5ecca, ftLastWriteTime.dwLowDateTime=0xf31fe0, ftLastWriteTime.dwHighDateTime=0x1d5ecca, nFileSizeHigh=0x0, nFileSizeLow=0x100a3, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="JtsuQ8b_03.jpg", cAlternateFileName="JTSUQ8~1.JPG")) returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2=".") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="..") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="...") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="windows") returned -1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="$RECYCLE.BIN") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="rsa") returned -1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="NTDETECT.COM") returned -1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="ntldr") returned -1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="MSDOS.SYS") returned -1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="IO.SYS") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="boot.ini") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="ntuser.dat") returned -1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="desktop.ini") returned 1 [0289.346] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="CONFIG.SYS") returned 1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="RECYCLER") returned -1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="BOOTSECT.BAK") returned 1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="bootmgr") returned 1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="programdata") returned -1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="appdata") returned 1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="program files") returned -1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="program files (x86)") returned -1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="microsoft") returned -1 [0289.347] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="sophos") returned -1 [0289.347] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.347] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.347] PathFindExtensionW (pszPath="JtsuQ8b_03.jpg") returned=".jpg" [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0289.347] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0289.348] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0289.348] lstrcmpiW (lpString1="JtsuQ8b_03.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.348] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\JtsuQ8b_03.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\jtsuq8b_03.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.348] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=65699) returned 1 [0289.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0289.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.348] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0289.348] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.348] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0289.348] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.350] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.352] GetTickCount () returned 0x11886c2 [0289.352] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0289.352] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0289.353] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x100a3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.353] SetLastError (dwErrCode=0x0) [0289.353] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.354] GetLastError () returned 0x0 [0289.354] GetLastError () returned 0x0 [0289.354] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x101a3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.354] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.354] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x102a3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.354] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2c8c200, dwHighDateTime=0x1d5fd73)) [0289.354] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.354] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.354] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.354] GetProcessHeap () returned 0xa10000 [0289.354] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x100a3) returned 0xa3e6a0 [0289.354] GetSystemDefaultLangID () returned 0xa20409 [0289.354] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.354] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x100a3, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x100a3, lpOverlapped=0x0) returned 1 [0289.359] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.359] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x100a3, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x100a3, lpOverlapped=0x0) returned 1 [0289.360] GetProcessHeap () returned 0xa10000 [0289.360] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.360] CloseHandle (hObject=0x26c) returned 1 [0289.361] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.361] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0289.361] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0289.361] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.361] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0289.361] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\JtsuQ8b_03.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\jtsuq8b_03.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\JtsuQ8b_03.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\jtsuq8b_03.jpg.nefilim")) returned 1 [0289.362] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.362] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.362] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xada31120, ftCreationTime.dwHighDateTime=0x1d5e68d, ftLastAccessTime.dwLowDateTime=0x92544e80, ftLastAccessTime.dwHighDateTime=0x1d5e5ce, ftLastWriteTime.dwLowDateTime=0x92544e80, ftLastWriteTime.dwHighDateTime=0x1d5e5ce, nFileSizeHigh=0x0, nFileSizeLow=0xff0e, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="ky4vX.bmp", cAlternateFileName="")) returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2=".") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="..") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="...") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="windows") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="$RECYCLE.BIN") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="rsa") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="NTDETECT.COM") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="ntldr") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="MSDOS.SYS") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="IO.SYS") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="boot.ini") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="ntuser.dat") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="desktop.ini") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="CONFIG.SYS") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="RECYCLER") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="BOOTSECT.BAK") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="bootmgr") returned 1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="programdata") returned -1 [0289.362] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="appdata") returned 1 [0289.363] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="program files") returned -1 [0289.363] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="program files (x86)") returned -1 [0289.363] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="microsoft") returned -1 [0289.363] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="sophos") returned -1 [0289.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.363] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.363] PathFindExtensionW (pszPath="ky4vX.bmp") returned=".bmp" [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0289.363] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0289.363] lstrcmpiW (lpString1="ky4vX.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.363] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.363] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ky4vX.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ky4vx.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.364] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=65294) returned 1 [0289.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0289.364] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.364] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0289.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22ee8 [0289.364] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.364] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22ee8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22ee8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.366] GetTickCount () returned 0x11886d1 [0289.366] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0289.366] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0289.367] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xff0e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.367] SetLastError (dwErrCode=0x0) [0289.367] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.368] GetLastError () returned 0x0 [0289.368] GetLastError () returned 0x0 [0289.368] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1000e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.368] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22ee8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.368] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1010e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.368] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2cb256b, dwHighDateTime=0x1d5fd73)) [0289.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.368] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.368] GetProcessHeap () returned 0xa10000 [0289.368] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xff0e) returned 0xa3e6a0 [0289.370] GetSystemDefaultLangID () returned 0xa20409 [0289.370] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.370] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xff0e, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xff0e, lpOverlapped=0x0) returned 1 [0289.375] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.375] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xff0e, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xff0e, lpOverlapped=0x0) returned 1 [0289.375] GetProcessHeap () returned 0xa10000 [0289.375] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.378] CloseHandle (hObject=0x26c) returned 1 [0289.378] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.378] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22ee8 | out: hHeap=0x28d0000) returned 1 [0289.378] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.378] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de270 | out: hHeap=0x28d0000) returned 1 [0289.378] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0289.378] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\ky4vX.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ky4vx.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\ky4vX.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\ky4vx.bmp.nefilim")) returned 1 [0289.379] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.379] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.379] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6392aff0, ftCreationTime.dwHighDateTime=0x1d5ed72, ftLastAccessTime.dwLowDateTime=0xfdde2cd0, ftLastAccessTime.dwHighDateTime=0x1d5e7e9, ftLastWriteTime.dwLowDateTime=0xfdde2cd0, ftLastWriteTime.dwHighDateTime=0x1d5e7e9, nFileSizeHigh=0x0, nFileSizeLow=0x15676, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="nIw3C03MK.gif", cAlternateFileName="NIW3C0~1.GIF")) returned 1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2=".") returned 1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="..") returned 1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="...") returned 1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="windows") returned -1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="rsa") returned -1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="NTDETECT.COM") returned -1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="ntldr") returned -1 [0289.379] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="MSDOS.SYS") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="IO.SYS") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="boot.ini") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="AUTOEXEC.BAT") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="ntuser.dat") returned -1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="desktop.ini") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="CONFIG.SYS") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="RECYCLER") returned -1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="BOOTSECT.BAK") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="bootmgr") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="programdata") returned -1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="appdata") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="program files") returned -1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="program files (x86)") returned -1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="microsoft") returned 1 [0289.380] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="sophos") returned -1 [0289.380] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.380] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.380] PathFindExtensionW (pszPath="nIw3C03MK.gif") returned=".gif" [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.380] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.381] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.381] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.381] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.381] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.381] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.381] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.381] lstrcmpiW (lpString1="nIw3C03MK.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0289.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.381] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\nIw3C03MK.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\niw3c03mk.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.381] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=87670) returned 1 [0289.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0289.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0289.381] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0289.381] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0289.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.381] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23200 [0289.381] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.382] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23200*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23200*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.382] GetTickCount () returned 0x11886e1 [0289.382] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec08 [0289.382] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec08 | out: hHeap=0x28d0000) returned 1 [0289.382] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15676, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.382] SetLastError (dwErrCode=0x0) [0289.382] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.383] GetLastError () returned 0x0 [0289.383] GetLastError () returned 0x0 [0289.383] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15776, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.384] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23200*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.384] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x15876, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.384] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2cd87bf, dwHighDateTime=0x1d5fd73)) [0289.384] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.384] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.384] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.384] GetProcessHeap () returned 0xa10000 [0289.384] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x15676) returned 0xa3e6a0 [0289.384] GetSystemDefaultLangID () returned 0xa20409 [0289.384] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.384] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x15676, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x15676, lpOverlapped=0x0) returned 1 [0289.390] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.390] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x15676, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x15676, lpOverlapped=0x0) returned 1 [0289.390] GetProcessHeap () returned 0xa10000 [0289.390] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.390] CloseHandle (hObject=0x26c) returned 1 [0289.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23200 | out: hHeap=0x28d0000) returned 1 [0289.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de288 | out: hHeap=0x28d0000) returned 1 [0289.391] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0289.391] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0289.391] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\nIw3C03MK.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\niw3c03mk.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\nIw3C03MK.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\niw3c03mk.gif.nefilim")) returned 1 [0289.440] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0289.440] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.440] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a55eaa0, ftCreationTime.dwHighDateTime=0x1d5ee92, ftLastAccessTime.dwLowDateTime=0x4714e560, ftLastAccessTime.dwHighDateTime=0x1d5e7e0, ftLastWriteTime.dwLowDateTime=0x4714e560, ftLastWriteTime.dwHighDateTime=0x1d5e7e0, nFileSizeHigh=0x0, nFileSizeLow=0x3d7e, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="NqA1IMzoC9o g.gif", cAlternateFileName="NQA1IM~1.GIF")) returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2=".") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="..") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="...") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="windows") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="rsa") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="NTDETECT.COM") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="ntldr") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="MSDOS.SYS") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="IO.SYS") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="boot.ini") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="AUTOEXEC.BAT") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="ntuser.dat") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="desktop.ini") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="CONFIG.SYS") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="RECYCLER") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="BOOTSECT.BAK") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="bootmgr") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="programdata") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="appdata") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="program files") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="program files (x86)") returned -1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="microsoft") returned 1 [0289.441] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="sophos") returned -1 [0289.441] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0289.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.442] PathFindExtensionW (pszPath="NqA1IMzoC9o g.gif") returned=".gif" [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.442] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.442] lstrcmpiW (lpString1="NqA1IMzoC9o g.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0289.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0289.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NqA1IMzoC9o g.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nqa1imzoc9o g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.443] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=15742) returned 1 [0289.443] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0289.443] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.443] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0289.443] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.443] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.443] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0289.443] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.445] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.447] GetTickCount () returned 0x118871f [0289.447] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec08 [0289.447] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec08 | out: hHeap=0x28d0000) returned 1 [0289.447] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3d7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.447] SetLastError (dwErrCode=0x0) [0289.447] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.448] GetLastError () returned 0x0 [0289.448] GetLastError () returned 0x0 [0289.448] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3e7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.449] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.449] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3f7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.449] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2d71032, dwHighDateTime=0x1d5fd73)) [0289.449] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0289.449] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.449] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.449] GetProcessHeap () returned 0xa10000 [0289.449] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3d7e) returned 0xa3e6a0 [0289.449] GetSystemDefaultLangID () returned 0xa20409 [0289.449] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.449] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x3d7e, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x3d7e, lpOverlapped=0x0) returned 1 [0289.450] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.450] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x3d7e, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x3d7e, lpOverlapped=0x0) returned 1 [0289.450] GetProcessHeap () returned 0xa10000 [0289.450] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.451] CloseHandle (hObject=0x26c) returned 1 [0289.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0289.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0289.451] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.451] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0289.451] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NqA1IMzoC9o g.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nqa1imzoc9o g.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NqA1IMzoC9o g.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nqa1imzoc9o g.gif.nefilim")) returned 1 [0289.452] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.452] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.452] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23722d40, ftCreationTime.dwHighDateTime=0x1d5eca2, ftLastAccessTime.dwLowDateTime=0x3c180bd0, ftLastAccessTime.dwHighDateTime=0x1d5e180, ftLastWriteTime.dwLowDateTime=0x3c180bd0, ftLastWriteTime.dwHighDateTime=0x1d5e180, nFileSizeHigh=0x0, nFileSizeLow=0xa2fb, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="o_CNdWCXgYOGGG9clu.jpg", cAlternateFileName="O_CNDW~1.JPG")) returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2=".") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="..") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="...") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="windows") returned -1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="$RECYCLE.BIN") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="rsa") returned -1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="NTDETECT.COM") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="ntldr") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="MSDOS.SYS") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="IO.SYS") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="boot.ini") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="ntuser.dat") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="desktop.ini") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="CONFIG.SYS") returned 1 [0289.452] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="RECYCLER") returned -1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="BOOTSECT.BAK") returned 1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="bootmgr") returned 1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="programdata") returned -1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="appdata") returned 1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="program files") returned -1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="program files (x86)") returned -1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="microsoft") returned 1 [0289.453] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="sophos") returned -1 [0289.453] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0289.453] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.453] PathFindExtensionW (pszPath="o_CNdWCXgYOGGG9clu.jpg") returned=".jpg" [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0289.453] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0289.454] lstrcmpiW (lpString1="o_CNdWCXgYOGGG9clu.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0289.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0289.454] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\o_CNdWCXgYOGGG9clu.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\o_cndwcxgyoggg9clu.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.454] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=41723) returned 1 [0289.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0289.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0289.454] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0289.454] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0289.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.454] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23830 [0289.454] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.455] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23830*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23830*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.455] GetTickCount () returned 0x118872f [0289.455] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb60 [0289.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb60 | out: hHeap=0x28d0000) returned 1 [0289.456] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa2fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.456] SetLastError (dwErrCode=0x0) [0289.456] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.457] GetLastError () returned 0x0 [0289.457] GetLastError () returned 0x0 [0289.457] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa3fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.457] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23830*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.457] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa4fb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.457] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2d9a166, dwHighDateTime=0x1d5fd73)) [0289.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0289.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.457] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.457] GetProcessHeap () returned 0xa10000 [0289.457] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa2fb) returned 0xa3e6a0 [0289.457] GetSystemDefaultLangID () returned 0xa20409 [0289.457] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.458] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xa2fb, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xa2fb, lpOverlapped=0x0) returned 1 [0289.460] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.460] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xa2fb, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xa2fb, lpOverlapped=0x0) returned 1 [0289.461] GetProcessHeap () returned 0xa10000 [0289.461] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.461] CloseHandle (hObject=0x26c) returned 1 [0289.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23830 | out: hHeap=0x28d0000) returned 1 [0289.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2a0 | out: hHeap=0x28d0000) returned 1 [0289.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de270 | out: hHeap=0x28d0000) returned 1 [0289.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0289.461] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\o_CNdWCXgYOGGG9clu.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\o_cndwcxgyoggg9clu.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\o_CNdWCXgYOGGG9clu.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\o_cndwcxgyoggg9clu.jpg.nefilim")) returned 1 [0289.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.462] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ff4b950, ftCreationTime.dwHighDateTime=0x1d5f08c, ftLastAccessTime.dwLowDateTime=0xd6c04460, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0xd6c04460, ftLastWriteTime.dwHighDateTime=0x1d5e51b, nFileSizeHigh=0x0, nFileSizeLow=0x57b5, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="Q6wXwkNMwDRBh56Bt.gif", cAlternateFileName="Q6WXWK~1.GIF")) returned 1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2=".") returned 1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="..") returned 1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="...") returned 1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="windows") returned -1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="rsa") returned -1 [0289.462] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="NTDETECT.COM") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="ntldr") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="MSDOS.SYS") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="IO.SYS") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="boot.ini") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="AUTOEXEC.BAT") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="ntuser.dat") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="desktop.ini") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="CONFIG.SYS") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="RECYCLER") returned -1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="BOOTSECT.BAK") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="bootmgr") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="programdata") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="appdata") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="program files") returned 1 [0289.463] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="program files (x86)") returned 1 [0289.464] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="microsoft") returned 1 [0289.464] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="sophos") returned -1 [0289.464] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0289.464] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.464] PathFindExtensionW (pszPath="Q6wXwkNMwDRBh56Bt.gif") returned=".gif" [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.464] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.464] lstrcmpiW (lpString1="Q6wXwkNMwDRBh56Bt.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0289.464] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0289.464] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Q6wXwkNMwDRBh56Bt.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\q6wxwknmwdrbh56bt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0289.465] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=22453) returned 1 [0289.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0289.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0289.465] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0289.465] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0289.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0289.465] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0289.466] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26eec04*=0x100) returned 1 [0289.466] GetTickCount () returned 0x118872f [0289.466] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0289.466] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0289.466] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x57b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.466] SetLastError (dwErrCode=0x0) [0289.466] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.504] GetLastError () returned 0x0 [0289.504] GetLastError () returned 0x0 [0289.504] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x58b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.504] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0289.504] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x59b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.504] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd2e09727, dwHighDateTime=0x1d5fd73)) [0289.504] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0289.504] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.504] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0289.505] GetProcessHeap () returned 0xa10000 [0289.505] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x57b5) returned 0xa3e6a0 [0289.505] GetSystemDefaultLangID () returned 0xa20409 [0289.505] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.505] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x57b5, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x57b5, lpOverlapped=0x0) returned 1 [0289.506] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.506] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x57b5, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x57b5, lpOverlapped=0x0) returned 1 [0289.507] GetProcessHeap () returned 0xa10000 [0289.507] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0289.508] CloseHandle (hObject=0x26c) returned 1 [0289.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0289.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0289.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0289.509] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0289.509] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Q6wXwkNMwDRBh56Bt.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\q6wxwknmwdrbh56bt.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Q6wXwkNMwDRBh56Bt.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\q6wxwknmwdrbh56bt.gif.nefilim")) returned 1 [0289.510] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0289.510] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0289.510] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b37b8a0, ftCreationTime.dwHighDateTime=0x1d5f039, ftLastAccessTime.dwLowDateTime=0xe6928750, ftLastAccessTime.dwHighDateTime=0x1d5effb, ftLastWriteTime.dwLowDateTime=0xe6928750, ftLastWriteTime.dwHighDateTime=0x1d5effb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="rBM0TaOY", cAlternateFileName="")) returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2=".") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="..") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="...") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="windows") returned -1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="$RECYCLE.BIN") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="rsa") returned -1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="NTDETECT.COM") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="ntldr") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="MSDOS.SYS") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="IO.SYS") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="boot.ini") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="AUTOEXEC.BAT") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="ntuser.dat") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="desktop.ini") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="CONFIG.SYS") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="RECYCLER") returned -1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="BOOTSECT.BAK") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="bootmgr") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="programdata") returned 1 [0289.510] lstrcmpiW (lpString1="rBM0TaOY", lpString2="appdata") returned 1 [0289.511] lstrcmpiW (lpString1="rBM0TaOY", lpString2="program files") returned 1 [0289.511] lstrcmpiW (lpString1="rBM0TaOY", lpString2="program files (x86)") returned 1 [0289.511] lstrcmpiW (lpString1="rBM0TaOY", lpString2="microsoft") returned 1 [0289.511] lstrcmpiW (lpString1="rBM0TaOY", lpString2="sophos") returned -1 [0289.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0289.511] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0289.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0289.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0289.511] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd70 [0289.511] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b37b8a0, ftCreationTime.dwHighDateTime=0x1d5f039, ftLastAccessTime.dwLowDateTime=0xe6928750, ftLastAccessTime.dwHighDateTime=0x1d5effb, ftLastWriteTime.dwLowDateTime=0xe6928750, ftLastWriteTime.dwHighDateTime=0x1d5effb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0289.511] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0289.511] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9b37b8a0, ftCreationTime.dwHighDateTime=0x1d5f039, ftLastAccessTime.dwLowDateTime=0xe6928750, ftLastAccessTime.dwHighDateTime=0x1d5effb, ftLastWriteTime.dwLowDateTime=0xe6928750, ftLastWriteTime.dwHighDateTime=0x1d5effb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0289.513] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0289.513] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0289.513] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x417129f0, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0xc5031d10, ftLastAccessTime.dwHighDateTime=0x1d5e31d, ftLastWriteTime.dwLowDateTime=0xc5031d10, ftLastWriteTime.dwHighDateTime=0x1d5e31d, nFileSizeHigh=0x0, nFileSizeLow=0xf483, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="-lCTHrfsw54yfdPxfO7.jpg", cAlternateFileName="-LCTHR~1.JPG")) returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2=".") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="..") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="...") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="windows") returned -1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="$RECYCLE.BIN") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="rsa") returned -1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="NTDETECT.COM") returned -1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="ntldr") returned -1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="MSDOS.SYS") returned -1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="IO.SYS") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="boot.ini") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="ntuser.dat") returned -1 [0289.513] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="desktop.ini") returned 1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="CONFIG.SYS") returned 1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="RECYCLER") returned -1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="BOOTSECT.BAK") returned 1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="bootmgr") returned 1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="programdata") returned -1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="appdata") returned 1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="program files") returned -1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="program files (x86)") returned -1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="microsoft") returned -1 [0289.514] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="sophos") returned -1 [0289.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdc8 [0289.514] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0289.514] PathFindExtensionW (pszPath="-lCTHrfsw54yfdPxfO7.jpg") returned=".jpg" [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0289.515] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0289.515] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0289.515] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0289.515] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0289.515] lstrcmpiW (lpString1="-lCTHrfsw54yfdPxfO7.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe50 [0289.515] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\-lCTHrfsw54yfdPxfO7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\-lcthrfsw54yfdpxfo7.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0289.515] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=62595) returned 1 [0289.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0289.515] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.515] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0289.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23b48 [0289.515] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0289.518] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23b48*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23b48*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0289.521] GetTickCount () returned 0x118876e [0289.521] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0289.521] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0289.521] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf483, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.521] SetLastError (dwErrCode=0x0) [0289.521] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0289.523] GetLastError () returned 0x0 [0289.523] GetLastError () returned 0x0 [0289.523] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf583, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.523] WriteFile (in: hFile=0x270, lpBuffer=0x2d23b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23b48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0289.523] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf683, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.523] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd2e2fb45, dwHighDateTime=0x1d5fd73)) [0289.523] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.523] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.523] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0289.523] GetProcessHeap () returned 0xa10000 [0289.523] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf483) returned 0xa3f6a8 [0289.523] GetSystemDefaultLangID () returned 0xa20409 [0289.523] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.523] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xf483, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xf483, lpOverlapped=0x0) returned 1 [0289.528] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.528] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xf483, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xf483, lpOverlapped=0x0) returned 1 [0289.528] GetProcessHeap () returned 0xa10000 [0289.528] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0289.528] CloseHandle (hObject=0x270) returned 1 [0289.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23b48 | out: hHeap=0x28d0000) returned 1 [0289.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de270 | out: hHeap=0x28d0000) returned 1 [0289.529] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0289.529] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\-lCTHrfsw54yfdPxfO7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\-lcthrfsw54yfdpxfo7.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\-lCTHrfsw54yfdPxfO7.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\-lcthrfsw54yfdpxfo7.jpg.nefilim")) returned 1 [0289.530] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0289.530] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0289.530] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16957a50, ftCreationTime.dwHighDateTime=0x1d5e388, ftLastAccessTime.dwLowDateTime=0x585c54d0, ftLastAccessTime.dwHighDateTime=0x1d5e46a, ftLastWriteTime.dwLowDateTime=0x585c54d0, ftLastWriteTime.dwHighDateTime=0x1d5e46a, nFileSizeHigh=0x0, nFileSizeLow=0x1281, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="52J2oYOqre1eC-5G.gif", cAlternateFileName="52J2OY~1.GIF")) returned 1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2=".") returned 1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="..") returned 1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="...") returned 1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="windows") returned -1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="rsa") returned -1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="NTDETECT.COM") returned -1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="ntldr") returned -1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="MSDOS.SYS") returned -1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="IO.SYS") returned -1 [0289.530] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="boot.ini") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="AUTOEXEC.BAT") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="ntuser.dat") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="desktop.ini") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="CONFIG.SYS") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="RECYCLER") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="BOOTSECT.BAK") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="bootmgr") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="programdata") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="appdata") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="program files") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="program files (x86)") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="microsoft") returned -1 [0289.531] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="sophos") returned -1 [0289.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe50 [0289.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdc8 | out: hHeap=0x28d0000) returned 1 [0289.531] PathFindExtensionW (pszPath="52J2oYOqre1eC-5G.gif") returned=".gif" [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0289.531] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0289.532] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0289.532] lstrcmpiW (lpString1="52J2oYOqre1eC-5G.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd70 [0289.532] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\52J2oYOqre1eC-5G.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\52j2oyoqre1ec-5g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0289.533] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=4737) returned 1 [0289.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0289.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.533] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0289.533] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.533] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0289.533] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0289.533] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0289.534] GetTickCount () returned 0x118877d [0289.534] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0289.534] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0289.534] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1281, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.534] SetLastError (dwErrCode=0x0) [0289.534] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0289.535] GetLastError () returned 0x0 [0289.535] GetLastError () returned 0x0 [0289.535] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1381, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.535] WriteFile (in: hFile=0x270, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0289.535] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1481, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.535] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd2e55ef8, dwHighDateTime=0x1d5fd73)) [0289.535] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.535] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.536] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0289.536] GetProcessHeap () returned 0xa10000 [0289.536] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1281) returned 0xa3f6a8 [0289.536] GetSystemDefaultLangID () returned 0xa20409 [0289.536] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.536] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1281, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x1281, lpOverlapped=0x0) returned 1 [0289.536] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.536] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1281, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x1281, lpOverlapped=0x0) returned 1 [0289.536] GetProcessHeap () returned 0xa10000 [0289.536] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0289.536] CloseHandle (hObject=0x270) returned 1 [0289.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0289.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2a0 | out: hHeap=0x28d0000) returned 1 [0289.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.537] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0289.537] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\52J2oYOqre1eC-5G.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\52j2oyoqre1ec-5g.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\52J2oYOqre1eC-5G.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\52j2oyoqre1ec-5g.gif.nefilim")) returned 1 [0289.538] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0289.538] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0289.538] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae1ff2c0, ftCreationTime.dwHighDateTime=0x1d5e710, ftLastAccessTime.dwLowDateTime=0x46b34760, ftLastAccessTime.dwHighDateTime=0x1d5eec5, ftLastWriteTime.dwLowDateTime=0x46b34760, ftLastWriteTime.dwHighDateTime=0x1d5eec5, nFileSizeHigh=0x0, nFileSizeLow=0x46d0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="5r3RU.bmp", cAlternateFileName="")) returned 1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2=".") returned 1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="..") returned 1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="...") returned 1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="windows") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="$RECYCLE.BIN") returned 1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="rsa") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="NTDETECT.COM") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="ntldr") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="MSDOS.SYS") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="IO.SYS") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="boot.ini") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="AUTOEXEC.BAT") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="ntuser.dat") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="desktop.ini") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="CONFIG.SYS") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="RECYCLER") returned -1 [0289.538] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="BOOTSECT.BAK") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="bootmgr") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="programdata") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="appdata") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="program files") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="program files (x86)") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="microsoft") returned -1 [0289.539] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="sophos") returned -1 [0289.539] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0289.539] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0289.539] PathFindExtensionW (pszPath="5r3RU.bmp") returned=".bmp" [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0289.539] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0289.540] lstrcmpiW (lpString1="5r3RU.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0289.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdd8 [0289.540] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\5r3RU.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\5r3ru.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0289.540] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=18128) returned 1 [0289.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0289.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0289.540] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0289.540] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0289.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0289.540] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23200 [0289.540] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0289.541] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23200*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23200*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0289.541] GetTickCount () returned 0x118877d [0289.541] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0289.541] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0289.541] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x46d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.541] SetLastError (dwErrCode=0x0) [0289.541] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0289.543] GetLastError () returned 0x0 [0289.543] GetLastError () returned 0x0 [0289.543] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x47d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.543] WriteFile (in: hFile=0x270, lpBuffer=0x2d23200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23200*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0289.543] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x48d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.543] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd2e55ef8, dwHighDateTime=0x1d5fd73)) [0289.543] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0289.543] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0289.543] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0289.543] GetProcessHeap () returned 0xa10000 [0289.543] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x46d0) returned 0xa3f6a8 [0289.543] GetSystemDefaultLangID () returned 0xa20409 [0289.543] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.543] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x46d0, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x46d0, lpOverlapped=0x0) returned 1 [0289.545] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0289.545] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x46d0, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x46d0, lpOverlapped=0x0) returned 1 [0289.545] GetProcessHeap () returned 0xa10000 [0289.545] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0289.545] CloseHandle (hObject=0x270) returned 1 [0289.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0289.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23200 | out: hHeap=0x28d0000) returned 1 [0289.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0289.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0289.545] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0289.545] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\5r3RU.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\5r3ru.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\5r3RU.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\5r3ru.bmp.nefilim")) returned 1 [0289.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0289.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0289.546] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa71ff810, ftCreationTime.dwHighDateTime=0x1d5e7fd, ftLastAccessTime.dwLowDateTime=0xb284d160, ftLastAccessTime.dwHighDateTime=0x1d5eb1f, ftLastWriteTime.dwLowDateTime=0xb284d160, ftLastWriteTime.dwHighDateTime=0x1d5eb1f, nFileSizeHigh=0x0, nFileSizeLow=0x7917, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="89DPOMk40qp0RKaz.gif", cAlternateFileName="89DPOM~1.GIF")) returned 1 [0289.546] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2=".") returned 1 [0289.546] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="..") returned 1 [0289.546] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="...") returned 1 [0289.546] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="windows") returned -1 [0289.546] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="$RECYCLE.BIN") returned 1 [0289.546] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="rsa") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="NTDETECT.COM") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="ntldr") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="MSDOS.SYS") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="IO.SYS") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="boot.ini") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="AUTOEXEC.BAT") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="ntuser.dat") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="desktop.ini") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="CONFIG.SYS") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="RECYCLER") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="BOOTSECT.BAK") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="bootmgr") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="programdata") returned -1 [0289.547] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="appdata") returned -1 [0290.749] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="program files") returned -1 [0290.749] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="program files (x86)") returned -1 [0290.749] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="microsoft") returned -1 [0290.749] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="sophos") returned -1 [0290.749] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdd8 [0290.780] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0291.636] PathFindExtensionW (pszPath="89DPOMk40qp0RKaz.gif") returned=".gif" [0291.723] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0291.724] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0291.724] lstrcmpiW (lpString1="89DPOMk40qp0RKaz.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0291.724] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe50 [0291.724] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\89DPOMk40qp0RKaz.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\89dpomk40qp0rkaz.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0291.746] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=30999) returned 1 [0291.746] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0291.747] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0291.747] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0291.747] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0291.747] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0291.747] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22ff0 [0291.772] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0291.774] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22ff0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22ff0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0291.829] GetTickCount () returned 0x1189076 [0291.829] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0291.829] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0291.829] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7917, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0291.879] SetLastError (dwErrCode=0x0) [0291.897] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0291.954] GetLastError () returned 0x0 [0291.954] GetLastError () returned 0x0 [0291.954] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7a17, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0291.954] WriteFile (in: hFile=0x270, lpBuffer=0x2d22ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d22ff0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0291.955] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7b17, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0291.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd45a2251, dwHighDateTime=0x1d5fd73)) [0291.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0291.976] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.122] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.122] GetProcessHeap () returned 0xa10000 [0292.122] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x7917) returned 0xa3f6a8 [0292.152] GetSystemDefaultLangID () returned 0xa20409 [0292.152] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.152] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x7917, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x7917, lpOverlapped=0x0) returned 1 [0292.155] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.180] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x7917, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x7917, lpOverlapped=0x0) returned 1 [0292.180] GetProcessHeap () returned 0xa10000 [0292.237] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.237] CloseHandle (hObject=0x270) returned 1 [0292.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22ff0 | out: hHeap=0x28d0000) returned 1 [0292.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0292.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.237] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0292.367] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\89DPOMk40qp0RKaz.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\89dpomk40qp0rkaz.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\89DPOMk40qp0RKaz.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\89dpomk40qp0rkaz.gif.nefilim")) returned 1 [0292.369] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0292.369] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0292.392] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a095450, ftCreationTime.dwHighDateTime=0x1d5e19f, ftLastAccessTime.dwLowDateTime=0xe01c740, ftLastAccessTime.dwHighDateTime=0x1d5e90a, ftLastWriteTime.dwLowDateTime=0xe01c740, ftLastWriteTime.dwHighDateTime=0x1d5e90a, nFileSizeHigh=0x0, nFileSizeLow=0x12bf1, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="DKHU.jpg", cAlternateFileName="")) returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2=".") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="..") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="...") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="windows") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="$RECYCLE.BIN") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="rsa") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="NTDETECT.COM") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="ntldr") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="MSDOS.SYS") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="IO.SYS") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="boot.ini") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="ntuser.dat") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="desktop.ini") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="CONFIG.SYS") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="RECYCLER") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="BOOTSECT.BAK") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="bootmgr") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="programdata") returned -1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="appdata") returned 1 [0292.440] lstrcmpiW (lpString1="DKHU.jpg", lpString2="program files") returned -1 [0292.441] lstrcmpiW (lpString1="DKHU.jpg", lpString2="program files (x86)") returned -1 [0292.441] lstrcmpiW (lpString1="DKHU.jpg", lpString2="microsoft") returned -1 [0292.441] lstrcmpiW (lpString1="DKHU.jpg", lpString2="sophos") returned -1 [0292.441] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0292.441] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.441] PathFindExtensionW (pszPath="DKHU.jpg") returned=".jpg" [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0292.441] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0292.441] lstrcmpiW (lpString1="DKHU.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0292.441] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdd8 [0292.441] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\DKHU.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\dkhu.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.442] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=76785) returned 1 [0292.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0292.442] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.442] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0292.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23b48 [0292.442] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.443] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23b48*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23b48*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.445] GetTickCount () returned 0x11892d7 [0292.445] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0292.445] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0292.445] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12bf1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.445] SetLastError (dwErrCode=0x0) [0292.445] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.446] GetLastError () returned 0x0 [0292.446] GetLastError () returned 0x0 [0292.446] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12cf1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.446] WriteFile (in: hFile=0x270, lpBuffer=0x2d23b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23b48*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.446] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12df1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.446] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4a046ea, dwHighDateTime=0x1d5fd73)) [0292.446] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.447] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.447] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.447] GetProcessHeap () returned 0xa10000 [0292.447] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12bf1) returned 0xa3f6a8 [0292.448] GetSystemDefaultLangID () returned 0xa20409 [0292.448] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.448] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x12bf1, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x12bf1, lpOverlapped=0x0) returned 1 [0292.456] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.456] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x12bf1, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x12bf1, lpOverlapped=0x0) returned 1 [0292.456] GetProcessHeap () returned 0xa10000 [0292.456] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.456] CloseHandle (hObject=0x270) returned 1 [0292.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23b48 | out: hHeap=0x28d0000) returned 1 [0292.456] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.457] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de270 | out: hHeap=0x28d0000) returned 1 [0292.457] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0292.457] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\DKHU.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\dkhu.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\DKHU.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\dkhu.jpg.nefilim")) returned 1 [0292.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0292.458] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.458] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe238ce20, ftCreationTime.dwHighDateTime=0x1d5e129, ftLastAccessTime.dwLowDateTime=0x51a94a80, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0x51a94a80, ftLastWriteTime.dwHighDateTime=0x1d5e40b, nFileSizeHigh=0x0, nFileSizeLow=0x9f15, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="Ij3x b--tr8.jpg", cAlternateFileName="IJ3XB-~1.JPG")) returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2=".") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="..") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="...") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="windows") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="$RECYCLE.BIN") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="rsa") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="NTDETECT.COM") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="ntldr") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="MSDOS.SYS") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="IO.SYS") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="boot.ini") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="ntuser.dat") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="desktop.ini") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="CONFIG.SYS") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="RECYCLER") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="BOOTSECT.BAK") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="bootmgr") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="programdata") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="appdata") returned 1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="program files") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="program files (x86)") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="microsoft") returned -1 [0292.458] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="sophos") returned -1 [0292.459] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdd8 [0292.459] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.459] PathFindExtensionW (pszPath="Ij3x b--tr8.jpg") returned=".jpg" [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0292.459] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0292.459] lstrcmpiW (lpString1="Ij3x b--tr8.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0292.459] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe50 [0292.459] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\Ij3x b--tr8.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\ij3x b--tr8.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.460] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=40725) returned 1 [0292.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0292.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0292.460] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0292.460] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0292.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.460] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0292.460] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.460] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.461] GetTickCount () returned 0x11892e7 [0292.461] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec08 [0292.461] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec08 | out: hHeap=0x28d0000) returned 1 [0292.461] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9f15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.461] SetLastError (dwErrCode=0x0) [0292.461] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.463] GetLastError () returned 0x0 [0292.463] GetLastError () returned 0x0 [0292.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa015, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.463] WriteFile (in: hFile=0x270, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa115, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.463] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4a29529, dwHighDateTime=0x1d5fd73)) [0292.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.463] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.463] GetProcessHeap () returned 0xa10000 [0292.463] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9f15) returned 0xa3f6a8 [0292.463] GetSystemDefaultLangID () returned 0xa20409 [0292.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.463] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x9f15, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x9f15, lpOverlapped=0x0) returned 1 [0292.467] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.467] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x9f15, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x9f15, lpOverlapped=0x0) returned 1 [0292.467] GetProcessHeap () returned 0xa10000 [0292.467] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.467] CloseHandle (hObject=0x270) returned 1 [0292.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0292.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2a0 | out: hHeap=0x28d0000) returned 1 [0292.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de270 | out: hHeap=0x28d0000) returned 1 [0292.467] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0292.467] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\Ij3x b--tr8.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\ij3x b--tr8.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\Ij3x b--tr8.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\ij3x b--tr8.jpg.nefilim")) returned 1 [0292.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0292.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0292.468] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cb890, ftCreationTime.dwHighDateTime=0x1d5ea03, ftLastAccessTime.dwLowDateTime=0x85c64100, ftLastAccessTime.dwHighDateTime=0x1d5e529, ftLastWriteTime.dwLowDateTime=0x85c64100, ftLastWriteTime.dwHighDateTime=0x1d5e529, nFileSizeHigh=0x0, nFileSizeLow=0xd1c9, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="l axR.png", cAlternateFileName="LAXR~1.PNG")) returned 1 [0292.468] lstrcmpiW (lpString1="l axR.png", lpString2=".") returned 1 [0292.468] lstrcmpiW (lpString1="l axR.png", lpString2="..") returned 1 [0292.468] lstrcmpiW (lpString1="l axR.png", lpString2="...") returned 1 [0292.468] lstrcmpiW (lpString1="l axR.png", lpString2="windows") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="$RECYCLE.BIN") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="rsa") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="NTDETECT.COM") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="ntldr") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="MSDOS.SYS") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="IO.SYS") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="boot.ini") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="AUTOEXEC.BAT") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="ntuser.dat") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="desktop.ini") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="CONFIG.SYS") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="RECYCLER") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="BOOTSECT.BAK") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="bootmgr") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="programdata") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="appdata") returned 1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="program files") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="program files (x86)") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="microsoft") returned -1 [0292.469] lstrcmpiW (lpString1="l axR.png", lpString2="sophos") returned -1 [0292.469] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0292.469] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.469] PathFindExtensionW (pszPath="l axR.png") returned=".png" [0292.469] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0292.469] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0292.469] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0292.469] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0292.469] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0292.470] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0292.470] lstrcmpiW (lpString1="l axR.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0292.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdd8 [0292.470] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\l axR.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\l axr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.470] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=53705) returned 1 [0292.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.470] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0292.471] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.471] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0292.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.471] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23728 [0292.471] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.471] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23728*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23728*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.472] GetTickCount () returned 0x11892f7 [0292.472] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb98 [0292.472] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb98 | out: hHeap=0x28d0000) returned 1 [0292.472] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd1c9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.472] SetLastError (dwErrCode=0x0) [0292.472] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.473] GetLastError () returned 0x0 [0292.473] GetLastError () returned 0x0 [0292.473] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd2c9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.473] WriteFile (in: hFile=0x270, lpBuffer=0x2d23728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23728*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.473] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd3c9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.473] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4a4f80a, dwHighDateTime=0x1d5fd73)) [0292.473] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.473] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.473] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.473] GetProcessHeap () returned 0xa10000 [0292.473] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd1c9) returned 0xa3f6a8 [0292.473] GetSystemDefaultLangID () returned 0xa20409 [0292.474] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.474] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xd1c9, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xd1c9, lpOverlapped=0x0) returned 1 [0292.478] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.478] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xd1c9, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xd1c9, lpOverlapped=0x0) returned 1 [0292.478] GetProcessHeap () returned 0xa10000 [0292.478] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.480] CloseHandle (hObject=0x270) returned 1 [0292.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23728 | out: hHeap=0x28d0000) returned 1 [0292.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.480] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2a0 | out: hHeap=0x28d0000) returned 1 [0292.480] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0292.480] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\l axR.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\l axr.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\l axR.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\l axr.png.nefilim")) returned 1 [0292.512] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0292.512] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.512] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf878b650, ftCreationTime.dwHighDateTime=0x1d5e9e9, ftLastAccessTime.dwLowDateTime=0x47bec490, ftLastAccessTime.dwHighDateTime=0x1d5f0e1, ftLastWriteTime.dwLowDateTime=0x47bec490, ftLastWriteTime.dwHighDateTime=0x1d5f0e1, nFileSizeHigh=0x0, nFileSizeLow=0x16661, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="MEUhH8_U-82.jpg", cAlternateFileName="MEUHH8~1.JPG")) returned 1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2=".") returned 1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="..") returned 1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="...") returned 1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="windows") returned -1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="$RECYCLE.BIN") returned 1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="rsa") returned -1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="NTDETECT.COM") returned -1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="ntldr") returned -1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="MSDOS.SYS") returned -1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="IO.SYS") returned 1 [0292.512] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="boot.ini") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="ntuser.dat") returned -1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="desktop.ini") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="CONFIG.SYS") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="RECYCLER") returned -1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="BOOTSECT.BAK") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="bootmgr") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="programdata") returned -1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="appdata") returned 1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="program files") returned -1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="program files (x86)") returned -1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="microsoft") returned -1 [0292.513] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="sophos") returned -1 [0292.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdd8 [0292.513] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.513] PathFindExtensionW (pszPath="MEUhH8_U-82.jpg") returned=".jpg" [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0292.513] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0292.514] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0292.514] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0292.514] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0292.514] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0292.514] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0292.514] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0292.514] lstrcmpiW (lpString1="MEUhH8_U-82.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0292.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe50 [0292.514] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\MEUhH8_U-82.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\meuhh8_u-82.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.514] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=91745) returned 1 [0292.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0292.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.514] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0292.514] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.514] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.515] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0292.515] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.517] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.517] GetTickCount () returned 0x1189326 [0292.517] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb60 [0292.517] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb60 | out: hHeap=0x28d0000) returned 1 [0292.517] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16661, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.518] SetLastError (dwErrCode=0x0) [0292.518] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.519] GetLastError () returned 0x0 [0292.519] GetLastError () returned 0x0 [0292.519] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16761, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.519] WriteFile (in: hFile=0x270, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.519] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16861, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.519] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4ac3c90, dwHighDateTime=0x1d5fd73)) [0292.519] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.519] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.519] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.519] GetProcessHeap () returned 0xa10000 [0292.519] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16661) returned 0xa3f6a8 [0292.519] GetSystemDefaultLangID () returned 0xa20409 [0292.519] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.519] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x16661, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x16661, lpOverlapped=0x0) returned 1 [0292.527] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.527] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x16661, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x16661, lpOverlapped=0x0) returned 1 [0292.528] GetProcessHeap () returned 0xa10000 [0292.528] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.528] CloseHandle (hObject=0x270) returned 1 [0292.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0292.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0292.528] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.528] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0292.528] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\MEUhH8_U-82.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\meuhh8_u-82.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\MEUhH8_U-82.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\meuhh8_u-82.jpg.nefilim")) returned 1 [0292.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0292.529] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0292.530] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e77a40, ftCreationTime.dwHighDateTime=0x1d5e245, ftLastAccessTime.dwLowDateTime=0x338b16e0, ftLastAccessTime.dwHighDateTime=0x1d5e970, ftLastWriteTime.dwLowDateTime=0x338b16e0, ftLastWriteTime.dwHighDateTime=0x1d5e970, nFileSizeHigh=0x0, nFileSizeLow=0x12e2f, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="nEF_5td.png", cAlternateFileName="")) returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2=".") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="..") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="...") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="windows") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="$RECYCLE.BIN") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="rsa") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="NTDETECT.COM") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="ntldr") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="MSDOS.SYS") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="IO.SYS") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="boot.ini") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="AUTOEXEC.BAT") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="ntuser.dat") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="desktop.ini") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="CONFIG.SYS") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="RECYCLER") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="BOOTSECT.BAK") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="bootmgr") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="programdata") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="appdata") returned 1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="program files") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="program files (x86)") returned -1 [0292.530] lstrcmpiW (lpString1="nEF_5td.png", lpString2="microsoft") returned 1 [0292.531] lstrcmpiW (lpString1="nEF_5td.png", lpString2="sophos") returned -1 [0292.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0292.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.531] PathFindExtensionW (pszPath="nEF_5td.png") returned=".png" [0292.531] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0292.531] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0292.531] lstrcmpiW (lpString1="nEF_5td.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0292.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdd8 [0292.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\nEF_5td.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\nef_5td.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.532] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=77359) returned 1 [0292.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0292.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.532] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0292.532] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.532] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23938 [0292.532] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.534] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23938*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23938*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.537] GetTickCount () returned 0x1189335 [0292.537] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea48 [0292.537] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea48 | out: hHeap=0x28d0000) returned 1 [0292.537] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12e2f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.537] SetLastError (dwErrCode=0x0) [0292.537] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.538] GetLastError () returned 0x0 [0292.538] GetLastError () returned 0x0 [0292.538] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12f2f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.538] WriteFile (in: hFile=0x270, lpBuffer=0x2d23938*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23938*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.538] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1302f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.538] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4ae80b8, dwHighDateTime=0x1d5fd73)) [0292.538] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.538] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.538] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.539] GetProcessHeap () returned 0xa10000 [0292.539] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12e2f) returned 0xa3f6a8 [0292.539] GetSystemDefaultLangID () returned 0xa20409 [0292.539] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.539] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x12e2f, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x12e2f, lpOverlapped=0x0) returned 1 [0292.548] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.548] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x12e2f, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x12e2f, lpOverlapped=0x0) returned 1 [0292.548] GetProcessHeap () returned 0xa10000 [0292.548] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.548] CloseHandle (hObject=0x270) returned 1 [0292.548] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.548] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23938 | out: hHeap=0x28d0000) returned 1 [0292.549] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0292.549] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.549] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0292.549] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\nEF_5td.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\nef_5td.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\nEF_5td.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\nef_5td.png.nefilim")) returned 1 [0292.550] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0292.550] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.550] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cf1e40, ftCreationTime.dwHighDateTime=0x1d5eb91, ftLastAccessTime.dwLowDateTime=0x7ff328c0, ftLastAccessTime.dwHighDateTime=0x1d5eb54, ftLastWriteTime.dwLowDateTime=0x7ff328c0, ftLastWriteTime.dwHighDateTime=0x1d5eb54, nFileSizeHigh=0x0, nFileSizeLow=0x5fe6, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="r-Mft.jpg", cAlternateFileName="")) returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2=".") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="..") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="...") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="windows") returned -1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="$RECYCLE.BIN") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="rsa") returned -1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="NTDETECT.COM") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="ntldr") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="MSDOS.SYS") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="IO.SYS") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="boot.ini") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="ntuser.dat") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="desktop.ini") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="CONFIG.SYS") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="RECYCLER") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="BOOTSECT.BAK") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="bootmgr") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="programdata") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="appdata") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="program files") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="program files (x86)") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="microsoft") returned 1 [0292.550] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="sophos") returned -1 [0292.551] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdd8 [0292.551] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.551] PathFindExtensionW (pszPath="r-Mft.jpg") returned=".jpg" [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0292.551] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0292.551] lstrcmpiW (lpString1="r-Mft.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.551] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0292.551] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\r-Mft.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\r-mft.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.552] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=24550) returned 1 [0292.552] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.552] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0292.552] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.552] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0292.552] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.552] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23a40 [0292.552] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.552] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23a40*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23a40*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.553] GetTickCount () returned 0x1189345 [0292.553] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c0 [0292.553] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c0 | out: hHeap=0x28d0000) returned 1 [0292.553] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5fe6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.553] SetLastError (dwErrCode=0x0) [0292.553] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.554] GetLastError () returned 0x0 [0292.554] GetLastError () returned 0x0 [0292.554] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x60e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.555] WriteFile (in: hFile=0x270, lpBuffer=0x2d23a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23a40*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.555] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x61e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.555] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4b0e4c3, dwHighDateTime=0x1d5fd73)) [0292.555] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.555] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.555] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.555] GetProcessHeap () returned 0xa10000 [0292.555] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5fe6) returned 0xa3f6a8 [0292.555] GetSystemDefaultLangID () returned 0xa20409 [0292.555] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.555] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x5fe6, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x5fe6, lpOverlapped=0x0) returned 1 [0292.557] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.557] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x5fe6, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x5fe6, lpOverlapped=0x0) returned 1 [0292.557] GetProcessHeap () returned 0xa10000 [0292.557] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.557] CloseHandle (hObject=0x270) returned 1 [0292.557] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.558] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23a40 | out: hHeap=0x28d0000) returned 1 [0292.558] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.558] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de288 | out: hHeap=0x28d0000) returned 1 [0292.558] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0292.558] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\r-Mft.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\r-mft.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\r-Mft.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\r-mft.jpg.nefilim")) returned 1 [0292.559] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0292.559] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.611] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7e08f00, ftCreationTime.dwHighDateTime=0x1d5ec9c, ftLastAccessTime.dwLowDateTime=0x1d49b360, ftLastAccessTime.dwHighDateTime=0x1d5e145, ftLastWriteTime.dwLowDateTime=0x1d49b360, ftLastWriteTime.dwHighDateTime=0x1d5e145, nFileSizeHigh=0x0, nFileSizeLow=0x57ba, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="SCbYhL3E_t.bmp", cAlternateFileName="SCBYHL~1.BMP")) returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2=".") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="..") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="...") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="windows") returned -1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="$RECYCLE.BIN") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="rsa") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="NTDETECT.COM") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="ntldr") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="MSDOS.SYS") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="IO.SYS") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="boot.ini") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="ntuser.dat") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="desktop.ini") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="CONFIG.SYS") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="RECYCLER") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="BOOTSECT.BAK") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="bootmgr") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="programdata") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="appdata") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="program files") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="program files (x86)") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="microsoft") returned 1 [0292.612] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="sophos") returned -1 [0292.612] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0292.613] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0292.613] PathFindExtensionW (pszPath="SCbYhL3E_t.bmp") returned=".bmp" [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0292.613] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0292.613] lstrcmpiW (lpString1="SCbYhL3E_t.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.613] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd70 [0292.613] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\SCbYhL3E_t.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\scbyhl3e_t.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.614] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=22458) returned 1 [0292.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0292.614] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.614] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0292.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.614] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23308 [0292.614] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.616] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23308*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23308*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.619] GetTickCount () returned 0x1189383 [0292.619] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea48 [0292.619] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea48 | out: hHeap=0x28d0000) returned 1 [0292.619] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x57ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.619] SetLastError (dwErrCode=0x0) [0292.619] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.620] GetLastError () returned 0x0 [0292.620] GetLastError () returned 0x0 [0292.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x58ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.620] WriteFile (in: hFile=0x270, lpBuffer=0x2d23308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23308*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x59ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.620] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4ba6ce8, dwHighDateTime=0x1d5fd73)) [0292.620] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.620] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.620] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.620] GetProcessHeap () returned 0xa10000 [0292.620] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x57ba) returned 0xa3f6a8 [0292.620] GetSystemDefaultLangID () returned 0xa20409 [0292.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.621] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x57ba, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x57ba, lpOverlapped=0x0) returned 1 [0292.622] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.622] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x57ba, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x57ba, lpOverlapped=0x0) returned 1 [0292.623] GetProcessHeap () returned 0xa10000 [0292.623] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.623] CloseHandle (hObject=0x270) returned 1 [0292.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23308 | out: hHeap=0x28d0000) returned 1 [0292.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.623] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de288 | out: hHeap=0x28d0000) returned 1 [0292.623] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28deca0 [0292.623] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\SCbYhL3E_t.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\scbyhl3e_t.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\SCbYhL3E_t.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\scbyhl3e_t.bmp.nefilim")) returned 1 [0292.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0292.624] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.624] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefc8300, ftCreationTime.dwHighDateTime=0x1d5f0c7, ftLastAccessTime.dwLowDateTime=0xef262030, ftLastAccessTime.dwHighDateTime=0x1d5eb72, ftLastWriteTime.dwLowDateTime=0xef262030, ftLastWriteTime.dwHighDateTime=0x1d5eb72, nFileSizeHigh=0x0, nFileSizeLow=0xea6b, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="StFfZ5d8iiPeu.jpg", cAlternateFileName="STFFZ5~1.JPG")) returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2=".") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="..") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="...") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="windows") returned -1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="$RECYCLE.BIN") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="rsa") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="NTDETECT.COM") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="ntldr") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="MSDOS.SYS") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="IO.SYS") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="boot.ini") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0292.624] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="ntuser.dat") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="desktop.ini") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="CONFIG.SYS") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="RECYCLER") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="BOOTSECT.BAK") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="bootmgr") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="programdata") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="appdata") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="program files") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="program files (x86)") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="microsoft") returned 1 [0292.625] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="sophos") returned 1 [0292.625] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd70 [0292.625] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0292.625] PathFindExtensionW (pszPath="StFfZ5d8iiPeu.jpg") returned=".jpg" [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0292.625] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0292.626] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0292.626] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0292.626] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0292.626] lstrcmpiW (lpString1="StFfZ5d8iiPeu.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.626] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbde8 [0292.626] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\StFfZ5d8iiPeu.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\stffz5d8iipeu.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.626] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=60011) returned 1 [0292.626] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0292.626] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.626] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0292.626] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.626] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.626] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23728 [0292.626] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.627] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23728*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23728*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.627] GetTickCount () returned 0x1189393 [0292.627] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a0 [0292.627] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a0 | out: hHeap=0x28d0000) returned 1 [0292.627] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xea6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.627] SetLastError (dwErrCode=0x0) [0292.627] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.628] GetLastError () returned 0x0 [0292.628] GetLastError () returned 0x0 [0292.628] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xeb6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.628] WriteFile (in: hFile=0x270, lpBuffer=0x2d23728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23728*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.629] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xec6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.629] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4bccfdb, dwHighDateTime=0x1d5fd73)) [0292.629] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.629] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.629] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.629] GetProcessHeap () returned 0xa10000 [0292.629] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xea6b) returned 0xa3f6a8 [0292.629] GetSystemDefaultLangID () returned 0xa20409 [0292.629] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.629] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0xea6b, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0xea6b, lpOverlapped=0x0) returned 1 [0292.633] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.633] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0xea6b, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0xea6b, lpOverlapped=0x0) returned 1 [0292.634] GetProcessHeap () returned 0xa10000 [0292.634] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.635] CloseHandle (hObject=0x270) returned 1 [0292.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23728 | out: hHeap=0x28d0000) returned 1 [0292.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0292.636] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.636] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe60 [0292.636] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\StFfZ5d8iiPeu.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\stffz5d8iipeu.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\StFfZ5d8iiPeu.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\stffz5d8iipeu.jpg.nefilim")) returned 1 [0292.638] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0292.638] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde8 | out: hHeap=0x28d0000) returned 1 [0292.638] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50351cb0, ftCreationTime.dwHighDateTime=0x1d5e17c, ftLastAccessTime.dwLowDateTime=0xf9cd39a0, ftLastAccessTime.dwHighDateTime=0x1d5e803, ftLastWriteTime.dwLowDateTime=0xf9cd39a0, ftLastWriteTime.dwHighDateTime=0x1d5e803, nFileSizeHigh=0x0, nFileSizeLow=0x83fc, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="v9vL.gif", cAlternateFileName="")) returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2=".") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="..") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="...") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="windows") returned -1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="$RECYCLE.BIN") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="rsa") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="NTDETECT.COM") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="ntldr") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="MSDOS.SYS") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="IO.SYS") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="boot.ini") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="AUTOEXEC.BAT") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="ntuser.dat") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="desktop.ini") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="CONFIG.SYS") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="RECYCLER") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="BOOTSECT.BAK") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="bootmgr") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="programdata") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="appdata") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="program files") returned 1 [0292.639] lstrcmpiW (lpString1="v9vL.gif", lpString2="program files (x86)") returned 1 [0292.640] lstrcmpiW (lpString1="v9vL.gif", lpString2="microsoft") returned 1 [0292.640] lstrcmpiW (lpString1="v9vL.gif", lpString2="sophos") returned 1 [0292.640] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbde8 [0292.640] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.640] PathFindExtensionW (pszPath="v9vL.gif") returned=".gif" [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0292.640] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0292.640] lstrcmpiW (lpString1="v9vL.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.640] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd70 [0292.640] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\v9vL.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\v9vl.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.641] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=33788) returned 1 [0292.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0292.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.641] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0292.641] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0292.641] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.643] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.644] GetTickCount () returned 0x11893a3 [0292.644] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec08 [0292.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec08 | out: hHeap=0x28d0000) returned 1 [0292.644] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x83fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.644] SetLastError (dwErrCode=0x0) [0292.644] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.645] GetLastError () returned 0x0 [0292.645] GetLastError () returned 0x0 [0292.645] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x84fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.645] WriteFile (in: hFile=0x270, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.645] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x85fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.646] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4bf3557, dwHighDateTime=0x1d5fd73)) [0292.646] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.646] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.646] GetProcessHeap () returned 0xa10000 [0292.646] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x83fc) returned 0xa3f6a8 [0292.646] GetSystemDefaultLangID () returned 0xa20409 [0292.646] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.646] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x83fc, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x83fc, lpOverlapped=0x0) returned 1 [0292.648] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.648] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x83fc, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x83fc, lpOverlapped=0x0) returned 1 [0292.649] GetProcessHeap () returned 0xa10000 [0292.649] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.649] CloseHandle (hObject=0x270) returned 1 [0292.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0292.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0292.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe50 [0292.649] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\v9vL.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\v9vl.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\v9vL.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\v9vl.gif.nefilim")) returned 1 [0292.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0292.650] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.650] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc08ea870, ftCreationTime.dwHighDateTime=0x1d5e47c, ftLastAccessTime.dwLowDateTime=0xc2169450, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0xc2169450, ftLastWriteTime.dwHighDateTime=0x1d5e666, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="WSUcq_tTEmOlARQDYG4.bmp", cAlternateFileName="WSUCQ_~1.BMP")) returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2=".") returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="..") returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="...") returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="windows") returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="$RECYCLE.BIN") returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="rsa") returned 1 [0292.650] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="NTDETECT.COM") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="ntldr") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="MSDOS.SYS") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="IO.SYS") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="boot.ini") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="ntuser.dat") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="desktop.ini") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="CONFIG.SYS") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="RECYCLER") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="BOOTSECT.BAK") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="bootmgr") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="programdata") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="appdata") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="program files") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="program files (x86)") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="microsoft") returned 1 [0292.651] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="sophos") returned 1 [0292.651] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe50 [0292.651] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde8 | out: hHeap=0x28d0000) returned 1 [0292.651] PathFindExtensionW (pszPath="WSUcq_tTEmOlARQDYG4.bmp") returned=".bmp" [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0292.651] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0292.652] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0292.652] lstrcmpiW (lpString1="WSUcq_tTEmOlARQDYG4.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd70 [0292.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\WSUcq_tTEmOlARQDYG4.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\wsucq_ttemolarqdyg4.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0292.652] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=39616) returned 1 [0292.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.675] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0292.675] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.676] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0292.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.676] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22ee8 [0292.676] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0292.678] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22ee8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22ee8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0292.680] GetTickCount () returned 0x11893c2 [0292.680] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8f8 [0292.680] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8f8 | out: hHeap=0x28d0000) returned 1 [0292.680] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.680] SetLastError (dwErrCode=0x0) [0292.680] WriteFile (in: hFile=0x270, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.681] GetLastError () returned 0x0 [0292.681] GetLastError () returned 0x0 [0292.681] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.681] WriteFile (in: hFile=0x270, lpBuffer=0x2d22ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d22ee8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0292.681] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.681] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd4c4eb8e, dwHighDateTime=0x1d5fd73)) [0292.682] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.682] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.682] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0292.682] GetProcessHeap () returned 0xa10000 [0292.682] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x9ac0) returned 0xa3f6a8 [0292.682] GetSystemDefaultLangID () returned 0xa20409 [0292.682] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.682] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x9ac0, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x9ac0, lpOverlapped=0x0) returned 1 [0292.685] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.685] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x9ac0, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x9ac0, lpOverlapped=0x0) returned 1 [0292.685] GetProcessHeap () returned 0xa10000 [0292.685] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0292.685] CloseHandle (hObject=0x270) returned 1 [0292.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22ee8 | out: hHeap=0x28d0000) returned 1 [0292.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.686] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0292.686] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28deca0 [0292.686] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\WSUcq_tTEmOlARQDYG4.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\wsucq_ttemolarqdyg4.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rBM0TaOY\\WSUcq_tTEmOlARQDYG4.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rbm0taoy\\wsucq_ttemolarqdyg4.bmp.nefilim")) returned 1 [0292.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deca0 | out: hHeap=0x28d0000) returned 1 [0292.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0292.687] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc08ea870, ftCreationTime.dwHighDateTime=0x1d5e47c, ftLastAccessTime.dwLowDateTime=0xc2169450, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0xc2169450, ftLastWriteTime.dwHighDateTime=0x1d5e666, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="WSUcq_tTEmOlARQDYG4.bmp", cAlternateFileName="WSUCQ_~1.BMP")) returned 0 [0292.687] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0292.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0292.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0292.687] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0292.687] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2=".") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="..") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="...") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="windows") returned -1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="$RECYCLE.BIN") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="rsa") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="NTDETECT.COM") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="ntldr") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="MSDOS.SYS") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="IO.SYS") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="boot.ini") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="ntuser.dat") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="desktop.ini") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="CONFIG.SYS") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="RECYCLER") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="BOOTSECT.BAK") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="bootmgr") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="programdata") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="appdata") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="program files") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="program files (x86)") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="microsoft") returned 1 [0292.688] lstrcmpiW (lpString1="Saved Pictures", lpString2="sophos") returned -1 [0292.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0292.688] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x76) returned 0x28dbd18 [0292.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0292.689] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0292.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0292.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd98 [0292.689] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe00 [0292.713] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x69000069, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0292.714] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0292.714] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x69000069, cFileName="..", cAlternateFileName="")) returned 1 [0292.714] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0292.714] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0292.714] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x28dbcc0, dwReserved1=0x69000069, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0292.715] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0292.715] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x28dbcc0, dwReserved1=0x69000069, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0292.715] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0292.715] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe00 | out: hHeap=0x28d0000) returned 1 [0292.715] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd98 | out: hHeap=0x28d0000) returned 1 [0292.715] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0292.715] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ab7610, ftCreationTime.dwHighDateTime=0x1d5eb9b, ftLastAccessTime.dwLowDateTime=0x9a9c2930, ftLastAccessTime.dwHighDateTime=0x1d5e6a7, ftLastWriteTime.dwLowDateTime=0x9a9c2930, ftLastWriteTime.dwHighDateTime=0x1d5e6a7, nFileSizeHigh=0x0, nFileSizeLow=0xe227, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="UiB5 Nqmt1ymoJDOTW.gif", cAlternateFileName="UIB5NQ~1.GIF")) returned 1 [0292.715] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2=".") returned 1 [0292.715] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="..") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="...") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="windows") returned -1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="$RECYCLE.BIN") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="rsa") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="NTDETECT.COM") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="ntldr") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="MSDOS.SYS") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="IO.SYS") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="boot.ini") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="AUTOEXEC.BAT") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="ntuser.dat") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="desktop.ini") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="CONFIG.SYS") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="RECYCLER") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="BOOTSECT.BAK") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="bootmgr") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="programdata") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="appdata") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="program files") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="program files (x86)") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="microsoft") returned 1 [0292.716] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="sophos") returned 1 [0292.716] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0292.716] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0292.716] PathFindExtensionW (pszPath="UiB5 Nqmt1ymoJDOTW.gif") returned=".gif" [0292.716] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0292.716] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0292.717] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0292.717] lstrcmpiW (lpString1="UiB5 Nqmt1ymoJDOTW.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0292.717] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\UiB5 Nqmt1ymoJDOTW.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\uib5 nqmt1ymojdotw.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0292.717] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=57895) returned 1 [0292.717] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0292.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.718] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0292.718] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.718] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0292.718] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0292.718] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0292.719] GetTickCount () returned 0x11893f1 [0292.719] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a0 [0292.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a0 | out: hHeap=0x28d0000) returned 1 [0292.719] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe227, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.719] SetLastError (dwErrCode=0x0) [0292.719] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.720] GetLastError () returned 0x0 [0292.720] GetLastError () returned 0x0 [0292.720] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe327, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.720] WriteFile (in: hFile=0x26c, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.720] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe427, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.720] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd4cb1bf2, dwHighDateTime=0x1d5fd73)) [0292.720] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0292.720] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0292.720] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0292.720] GetProcessHeap () returned 0xa10000 [0292.720] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xe227) returned 0xa3e6a0 [0292.721] GetSystemDefaultLangID () returned 0xa20409 [0292.721] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.721] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xe227, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xe227, lpOverlapped=0x0) returned 1 [0292.724] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.724] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xe227, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xe227, lpOverlapped=0x0) returned 1 [0292.725] GetProcessHeap () returned 0xa10000 [0292.725] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0292.725] CloseHandle (hObject=0x26c) returned 1 [0292.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0292.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de270 | out: hHeap=0x28d0000) returned 1 [0292.725] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.725] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0292.725] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\UiB5 Nqmt1ymoJDOTW.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\uib5 nqmt1ymojdotw.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\UiB5 Nqmt1ymoJDOTW.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\uib5 nqmt1ymojdotw.gif.nefilim")) returned 1 [0292.726] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0292.726] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0292.726] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a454670, ftCreationTime.dwHighDateTime=0x1d5ee5e, ftLastAccessTime.dwLowDateTime=0x4d3fd880, ftLastAccessTime.dwHighDateTime=0x1d5e12f, ftLastWriteTime.dwLowDateTime=0x4d3fd880, ftLastWriteTime.dwHighDateTime=0x1d5e12f, nFileSizeHigh=0x0, nFileSizeLow=0x1758f, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="W5E1Z52-7h3y.bmp", cAlternateFileName="W5E1Z5~1.BMP")) returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2=".") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="..") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="...") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="windows") returned -1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="$RECYCLE.BIN") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="rsa") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="NTDETECT.COM") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="ntldr") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="MSDOS.SYS") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="IO.SYS") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="boot.ini") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="ntuser.dat") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="desktop.ini") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="CONFIG.SYS") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="RECYCLER") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="BOOTSECT.BAK") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="bootmgr") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="programdata") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="appdata") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="program files") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="program files (x86)") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="microsoft") returned 1 [0292.727] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="sophos") returned 1 [0292.727] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0292.727] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0292.728] PathFindExtensionW (pszPath="W5E1Z52-7h3y.bmp") returned=".bmp" [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0292.728] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0292.728] lstrcmpiW (lpString1="W5E1Z52-7h3y.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.728] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0292.728] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\W5E1Z52-7h3y.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\w5e1z52-7h3y.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0292.729] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=95631) returned 1 [0292.729] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.729] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.729] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.729] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.729] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.729] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0292.729] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0292.729] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x100) returned 1 [0292.730] GetTickCount () returned 0x11893f1 [0292.730] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deab8 [0292.730] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deab8 | out: hHeap=0x28d0000) returned 1 [0292.730] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1758f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.730] SetLastError (dwErrCode=0x0) [0292.730] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.731] GetLastError () returned 0x0 [0292.731] GetLastError () returned 0x0 [0292.731] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1768f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.731] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.731] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1778f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.731] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd4cd7f25, dwHighDateTime=0x1d5fd73)) [0292.732] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0292.732] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0292.732] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0292.732] GetProcessHeap () returned 0xa10000 [0292.732] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1758f) returned 0xa3e6a0 [0292.732] GetSystemDefaultLangID () returned 0xa20409 [0292.732] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.732] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1758f, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1758f, lpOverlapped=0x0) returned 1 [0292.739] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.739] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1758f, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1758f, lpOverlapped=0x0) returned 1 [0292.740] GetProcessHeap () returned 0xa10000 [0292.740] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0292.740] CloseHandle (hObject=0x26c) returned 1 [0292.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0292.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.740] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.740] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0292.740] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\W5E1Z52-7h3y.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\w5e1z52-7h3y.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\W5E1Z52-7h3y.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\w5e1z52-7h3y.bmp.nefilim")) returned 1 [0292.741] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0292.741] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0292.741] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527dc380, ftCreationTime.dwHighDateTime=0x1d5e827, ftLastAccessTime.dwLowDateTime=0xdb4b4740, ftLastAccessTime.dwHighDateTime=0x1d5e8eb, ftLastWriteTime.dwLowDateTime=0xdb4b4740, ftLastWriteTime.dwHighDateTime=0x1d5e8eb, nFileSizeHigh=0x0, nFileSizeLow=0x3fc6, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="wKS 1.gif", cAlternateFileName="WKS1~1.GIF")) returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2=".") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="..") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="...") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="windows") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="$RECYCLE.BIN") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="rsa") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="NTDETECT.COM") returned 1 [0292.741] lstrcmpiW (lpString1="wKS 1.gif", lpString2="ntldr") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="MSDOS.SYS") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="IO.SYS") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="boot.ini") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="AUTOEXEC.BAT") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="ntuser.dat") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="desktop.ini") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="CONFIG.SYS") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="RECYCLER") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="BOOTSECT.BAK") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="bootmgr") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="programdata") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="appdata") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="program files") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="program files (x86)") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="microsoft") returned 1 [0292.742] lstrcmpiW (lpString1="wKS 1.gif", lpString2="sophos") returned 1 [0292.742] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0292.742] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0292.742] PathFindExtensionW (pszPath="wKS 1.gif") returned=".gif" [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0292.742] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0292.743] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0292.743] lstrcmpiW (lpString1="wKS 1.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0292.743] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\wKS 1.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\wks 1.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0292.743] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=16326) returned 1 [0292.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0292.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.743] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0292.743] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.743] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0292.743] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0292.746] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x100) returned 1 [0292.750] GetTickCount () returned 0x1189410 [0292.750] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0292.750] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0292.750] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3fc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.750] SetLastError (dwErrCode=0x0) [0292.750] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.751] GetLastError () returned 0x0 [0292.751] GetLastError () returned 0x0 [0292.751] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x40c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.751] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.752] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x41c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.752] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd4cfe1c4, dwHighDateTime=0x1d5fd73)) [0292.752] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0292.752] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0292.752] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0292.752] GetProcessHeap () returned 0xa10000 [0292.752] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3fc6) returned 0xa3e6a0 [0292.752] GetSystemDefaultLangID () returned 0xa20409 [0292.752] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.752] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x3fc6, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x3fc6, lpOverlapped=0x0) returned 1 [0292.753] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.753] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x3fc6, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x3fc6, lpOverlapped=0x0) returned 1 [0292.754] GetProcessHeap () returned 0xa10000 [0292.754] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0292.754] CloseHandle (hObject=0x26c) returned 1 [0292.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0292.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0292.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0292.754] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0292.754] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0292.754] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\wKS 1.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\wks 1.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\wKS 1.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\wks 1.gif.nefilim")) returned 1 [0292.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0292.755] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0292.755] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x320284c0, ftCreationTime.dwHighDateTime=0x1d5e7f4, ftLastAccessTime.dwLowDateTime=0x78b9d080, ftLastAccessTime.dwHighDateTime=0x1d5e32b, ftLastWriteTime.dwLowDateTime=0x78b9d080, ftLastWriteTime.dwHighDateTime=0x1d5e32b, nFileSizeHigh=0x0, nFileSizeLow=0x18dea, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="WPN jzrcC09Ux1C9d9.png", cAlternateFileName="WPNJZR~1.PNG")) returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2=".") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="..") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="...") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="windows") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="$RECYCLE.BIN") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="rsa") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="NTDETECT.COM") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="ntldr") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="MSDOS.SYS") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="IO.SYS") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="boot.ini") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="AUTOEXEC.BAT") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="ntuser.dat") returned 1 [0292.755] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="desktop.ini") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="CONFIG.SYS") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="RECYCLER") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="BOOTSECT.BAK") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="bootmgr") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="programdata") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="appdata") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="program files") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="program files (x86)") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="microsoft") returned 1 [0292.756] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="sophos") returned 1 [0292.756] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0292.756] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0292.756] PathFindExtensionW (pszPath="WPN jzrcC09Ux1C9d9.png") returned=".png" [0292.756] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0292.756] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0292.757] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0292.757] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0292.757] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0292.757] lstrcmpiW (lpString1="WPN jzrcC09Ux1C9d9.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0292.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0292.757] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\WPN jzrcC09Ux1C9d9.png" (normalized: "c:\\users\\fd1hvy\\pictures\\wpn jzrcc09ux1c9d9.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0292.757] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=101866) returned 1 [0292.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0292.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0292.757] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0292.757] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0292.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0292.757] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d225a0 [0292.757] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0292.758] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d225a0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d225a0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0292.758] GetTickCount () returned 0x1189410 [0292.758] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec08 [0292.758] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec08 | out: hHeap=0x28d0000) returned 1 [0292.758] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18dea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.758] SetLastError (dwErrCode=0x0) [0292.758] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.760] GetLastError () returned 0x0 [0292.760] GetLastError () returned 0x0 [0292.760] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18eea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.760] WriteFile (in: hFile=0x26c, lpBuffer=0x2d225a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d225a0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0292.760] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x18fea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.760] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd4cfe1c4, dwHighDateTime=0x1d5fd73)) [0292.760] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0292.760] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0292.760] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0292.760] GetProcessHeap () returned 0xa10000 [0292.760] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x18dea) returned 0xa3e6a0 [0292.760] GetSystemDefaultLangID () returned 0xa20409 [0292.760] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.760] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x18dea, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x18dea, lpOverlapped=0x0) returned 1 [0292.780] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0292.936] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x18dea, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x18dea, lpOverlapped=0x0) returned 1 [0292.938] GetProcessHeap () returned 0xa10000 [0293.042] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0293.043] CloseHandle (hObject=0x26c) returned 1 [0293.069] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0293.070] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d225a0 | out: hHeap=0x28d0000) returned 1 [0293.070] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2a0 | out: hHeap=0x28d0000) returned 1 [0293.070] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0293.099] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0293.127] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\WPN jzrcC09Ux1C9d9.png" (normalized: "c:\\users\\fd1hvy\\pictures\\wpn jzrcc09ux1c9d9.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\WPN jzrcC09Ux1C9d9.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\wpn jzrcc09ux1c9d9.png.nefilim")) returned 1 [0293.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0293.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0293.164] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9080090, ftCreationTime.dwHighDateTime=0x1d5ebf0, ftLastAccessTime.dwLowDateTime=0xe5b9ca20, ftLastAccessTime.dwHighDateTime=0x1d5eeb4, ftLastWriteTime.dwLowDateTime=0xe5b9ca20, ftLastWriteTime.dwHighDateTime=0x1d5eeb4, nFileSizeHigh=0x0, nFileSizeLow=0xbc81, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="XGdyy.bmp", cAlternateFileName="")) returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2=".") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="..") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="...") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="windows") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="$RECYCLE.BIN") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="rsa") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="NTDETECT.COM") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="ntldr") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="MSDOS.SYS") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="IO.SYS") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="boot.ini") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0293.164] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="ntuser.dat") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="desktop.ini") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="CONFIG.SYS") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="RECYCLER") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="BOOTSECT.BAK") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="bootmgr") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="programdata") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="appdata") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="program files") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="program files (x86)") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="microsoft") returned 1 [0293.165] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="sophos") returned 1 [0293.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de7f8 [0293.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0293.165] PathFindExtensionW (pszPath="XGdyy.bmp") returned=".bmp" [0293.165] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0293.165] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0293.165] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0293.165] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0293.165] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0293.166] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0293.166] lstrcmpiW (lpString1="XGdyy.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0293.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0293.238] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\XGdyy.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\xgdyy.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0293.239] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=48257) returned 1 [0293.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0293.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0293.239] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0293.239] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0293.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0293.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23e60 [0293.239] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0293.240] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23e60*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23e60*, pdwDataLen=0x26eec04*=0x100) returned 1 [0293.240] GetTickCount () returned 0x11895f4 [0293.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28debd0 [0293.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28debd0 | out: hHeap=0x28d0000) returned 1 [0293.240] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbc81, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0293.266] SetLastError (dwErrCode=0x0) [0293.266] WriteFile (in: hFile=0x26c, lpBuffer=0x2d20178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d20178*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0293.267] GetLastError () returned 0x0 [0293.285] GetLastError () returned 0x0 [0293.285] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbd81, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0293.302] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23e60*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0293.302] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbe81, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0293.383] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd531031a, dwHighDateTime=0x1d5fd73)) [0293.383] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de850 [0293.383] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de850 | out: hHeap=0x28d0000) returned 1 [0293.383] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0293.383] GetProcessHeap () returned 0xa10000 [0293.383] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xbc81) returned 0xa3e6a0 [0293.383] GetSystemDefaultLangID () returned 0xa20409 [0293.383] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0293.384] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xbc81, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xbc81, lpOverlapped=0x0) returned 1 [0293.387] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0293.387] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xbc81, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xbc81, lpOverlapped=0x0) returned 1 [0293.387] GetProcessHeap () returned 0xa10000 [0293.387] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0293.389] CloseHandle (hObject=0x26c) returned 1 [0293.389] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d20178 | out: hHeap=0x28d0000) returned 1 [0293.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23e60 | out: hHeap=0x28d0000) returned 1 [0293.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de258 | out: hHeap=0x28d0000) returned 1 [0293.390] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0293.390] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0293.390] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\XGdyy.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\xgdyy.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\XGdyy.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\xgdyy.bmp.nefilim")) returned 1 [0293.391] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0293.391] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0293.391] FindNextFileW (in: hFindFile=0xa2f460, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9080090, ftCreationTime.dwHighDateTime=0x1d5ebf0, ftLastAccessTime.dwLowDateTime=0xe5b9ca20, ftLastAccessTime.dwHighDateTime=0x1d5eeb4, ftLastWriteTime.dwLowDateTime=0xe5b9ca20, ftLastWriteTime.dwHighDateTime=0x1d5eeb4, nFileSizeHigh=0x0, nFileSizeLow=0xbc81, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="XGdyy.bmp", cAlternateFileName="")) returned 0 [0293.462] FindClose (in: hFindFile=0xa2f460 | out: hFindFile=0xa2f460) returned 1 [0293.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0293.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0293.462] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0293.462] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="$RECYCLE.BIN") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="NTDETECT.COM") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="ntldr") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="MSDOS.SYS") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="IO.SYS") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="boot.ini") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="AUTOEXEC.BAT") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0293.462] lstrcmpiW (lpString1="PrintHood", lpString2="desktop.ini") returned 1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="CONFIG.SYS") returned 1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="RECYCLER") returned -1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="BOOTSECT.BAK") returned 1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="microsoft") returned 1 [0293.463] lstrcmpiW (lpString1="PrintHood", lpString2="sophos") returned -1 [0293.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0293.463] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0293.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0293.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0293.463] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0293.582] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\PrintHood\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9080090, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0xe5b9ca20, ftLastAccessTime.dwHighDateTime=0x1d5eeb4, ftLastWriteTime.dwLowDateTime=0xe5b9ca20, ftLastWriteTime.dwHighDateTime=0x1d5eeb4, nFileSizeHigh=0x28d0000, nFileSizeLow=0x1d00001d, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ4")) returned 0xffffffff [0293.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0293.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0293.826] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0293.992] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Recent", cAlternateFileName="")) returned 1 [0294.043] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="$RECYCLE.BIN") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="NTDETECT.COM") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="ntldr") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="MSDOS.SYS") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="IO.SYS") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="boot.ini") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="AUTOEXEC.BAT") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="desktop.ini") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="CONFIG.SYS") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="RECYCLER") returned -1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="BOOTSECT.BAK") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="microsoft") returned 1 [0294.044] lstrcmpiW (lpString1="Recent", lpString2="sophos") returned -1 [0294.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec40 [0294.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0294.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dec08 [0294.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea10 [0294.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0294.098] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Recent\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9080090, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0xe5b9ca20, ftLastAccessTime.dwHighDateTime=0x1d5eeb4, ftLastWriteTime.dwLowDateTime=0xe5b9ca20, ftLastWriteTime.dwHighDateTime=0x1d5eeb4, nFileSizeHigh=0x28d0000, nFileSizeLow=0x1d00001d, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ.")) returned 0xffffffff [0294.098] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0294.098] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea10 | out: hHeap=0x28d0000) returned 1 [0294.098] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec08 | out: hHeap=0x28d0000) returned 1 [0294.098] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0294.098] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="$RECYCLE.BIN") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="NTDETECT.COM") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="ntldr") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="MSDOS.SYS") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="IO.SYS") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="boot.ini") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="AUTOEXEC.BAT") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="desktop.ini") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="CONFIG.SYS") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="RECYCLER") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="BOOTSECT.BAK") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="microsoft") returned 1 [0294.099] lstrcmpiW (lpString1="Saved Games", lpString2="sophos") returned -1 [0294.099] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0294.099] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec40 | out: hHeap=0x28d0000) returned 1 [0294.100] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0294.100] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0294.100] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0294.100] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName=".", cAlternateFileName="")) returned 0xa2f220 [0294.101] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0294.101] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="..", cAlternateFileName="")) returned 1 [0294.101] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0294.101] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0294.101] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0294.101] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0294.101] FindNextFileW (in: hFindFile=0xa2f220, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0294.152] FindClose (in: hFindFile=0xa2f220 | out: hFindFile=0xa2f220) returned 1 [0294.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0294.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0294.153] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0294.153] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Searches", cAlternateFileName="")) returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="...") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="$RECYCLE.BIN") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="rsa") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="NTDETECT.COM") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="ntldr") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="MSDOS.SYS") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="IO.SYS") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="boot.ini") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="AUTOEXEC.BAT") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="ntuser.dat") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="desktop.ini") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="CONFIG.SYS") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="RECYCLER") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="BOOTSECT.BAK") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="bootmgr") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="programdata") returned 1 [0294.153] lstrcmpiW (lpString1="Searches", lpString2="appdata") returned 1 [0294.154] lstrcmpiW (lpString1="Searches", lpString2="program files") returned 1 [0294.154] lstrcmpiW (lpString1="Searches", lpString2="program files (x86)") returned 1 [0294.154] lstrcmpiW (lpString1="Searches", lpString2="microsoft") returned 1 [0294.154] lstrcmpiW (lpString1="Searches", lpString2="sophos") returned -1 [0294.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0294.154] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0294.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0294.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0294.154] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7f8 [0294.154] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0294.154] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0294.154] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="..", cAlternateFileName="")) returned 1 [0294.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0294.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0294.155] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0294.155] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0294.155] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44269063, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="...") returned 1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="rsa") returned -1 [0294.155] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTDETECT.COM") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntldr") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="MSDOS.SYS") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="IO.SYS") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot.ini") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="desktop.ini") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CONFIG.SYS") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="RECYCLER") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootmgr") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="programdata") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="appdata") returned 1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files (x86)") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="microsoft") returned -1 [0294.156] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="sophos") returned -1 [0294.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0294.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0294.212] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0294.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de660 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0294.245] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".NEFILIM") returned 1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0294.246] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0294.246] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0294.246] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de7f8 [0294.316] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0294.427] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=440599260887424) returned 0 [0294.427] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de258 [0294.427] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de270 [0294.427] SystemFunction036 (in: RandomBuffer=0x28de258, RandomBufferLength=0x10 | out: RandomBuffer=0x28de258) returned 1 [0294.428] SystemFunction036 (in: RandomBuffer=0x28de270, RandomBufferLength=0x10 | out: RandomBuffer=0x28de270) returned 1 [0294.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d20178 [0294.428] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22ac8 [0294.514] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d20178*, pdwDataLen=0x26eec08*=0x100) returned 1 [0294.517] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22ac8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22ac8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0294.593] GetTickCount () returned 0x1189b44 [0294.593] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf0 [0294.618] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf0 | out: hHeap=0x28d0000) returned 1 [0294.618] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0294.749] SetLastError (dwErrCode=0x0) [0294.812] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d20178, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0) returned 0 [0294.827] GetLastError () returned 0x6 [0294.827] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7f8 | out: hHeap=0x28d0000) returned 1 [0294.828] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de660 | out: hHeap=0x28d0000) returned 1 [0294.843] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44242e24, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0294.843] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0294.843] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0294.843] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="...") returned 1 [0294.843] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0294.843] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0294.843] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="rsa") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTDETECT.COM") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntldr") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="MSDOS.SYS") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="IO.SYS") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot.ini") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="desktop.ini") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CONFIG.SYS") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="RECYCLER") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootmgr") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="programdata") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="appdata") returned 1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files (x86)") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="microsoft") returned -1 [0294.844] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="sophos") returned -1 [0294.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0294.844] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0294.844] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0294.844] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de3e0 [0294.844] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0294.844] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".NEFILIM") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0294.845] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0294.845] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0294.845] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0294.845] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0294.846] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=440599260887424) returned 0 [0294.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de288 [0294.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2a0 [0294.846] SystemFunction036 (in: RandomBuffer=0x28de288, RandomBufferLength=0x10 | out: RandomBuffer=0x28de288) returned 1 [0294.846] SystemFunction036 (in: RandomBuffer=0x28de2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2a0) returned 1 [0294.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22ff0 [0294.846] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22ee8 [0294.846] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22ff0*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22ff0*, pdwDataLen=0x26eec08*=0x100) returned 1 [0294.846] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22ee8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22ee8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0294.847] GetTickCount () returned 0x1189c3e [0294.847] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de970 [0294.847] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de970 | out: hHeap=0x28d0000) returned 1 [0294.847] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x26ef980, lpNewFilePointer=0x190b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x190b9*=-8427287629222620021) returned 0 [0294.847] SetLastError (dwErrCode=0x0) [0294.847] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2d22ff0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0) returned 0 [0294.847] GetLastError () returned 0x6 [0294.847] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0294.847] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de3e0 | out: hHeap=0x28d0000) returned 1 [0294.847] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2=".") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="..") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="...") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="windows") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="$RECYCLE.BIN") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="rsa") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="NTDETECT.COM") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="ntldr") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="MSDOS.SYS") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="IO.SYS") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="boot.ini") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="AUTOEXEC.BAT") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="ntuser.dat") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="desktop.ini") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="CONFIG.SYS") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="RECYCLER") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="BOOTSECT.BAK") returned 1 [0294.847] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="bootmgr") returned 1 [0294.848] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="programdata") returned 1 [0294.848] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="appdata") returned 1 [0294.848] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="program files") returned 1 [0294.848] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="program files (x86)") returned 1 [0294.848] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="microsoft") returned 1 [0294.848] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="sophos") returned 1 [0294.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28dbda0 [0294.857] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0294.857] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned=".searchconnector-ms" [0294.857] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de970 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".exe") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".log") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".cab") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".cmd") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".com") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".cpl") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".ini") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".dll") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".url") returned -1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".ttf") returned -1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".mp3") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".pif") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".mp4") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".NEFILIM") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".msi") returned 1 [0294.857] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".lnk") returned 1 [0294.858] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0294.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xd0) returned 0x28dbcc0 [0294.858] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0294.860] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=855) returned 1 [0294.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0294.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0294.860] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0294.860] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0294.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0294.860] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d229c0 [0294.860] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0294.860] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d229c0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d229c0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0294.860] GetTickCount () returned 0x1189c3e [0294.861] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de900 [0294.861] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de900 | out: hHeap=0x28d0000) returned 1 [0294.861] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x357, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0294.861] SetLastError (dwErrCode=0x0) [0294.861] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0294.863] GetLastError () returned 0x0 [0295.085] GetLastError () returned 0x0 [0295.085] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x457, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.276] WriteFile (in: hFile=0x26c, lpBuffer=0x2d229c0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d229c0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0295.277] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x557, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.323] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd65816d1, dwHighDateTime=0x1d5fd73)) [0295.344] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe78 [0295.344] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe78 | out: hHeap=0x28d0000) returned 1 [0295.373] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0295.374] GetProcessHeap () returned 0xa10000 [0295.374] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x357) returned 0xa34b88 [0295.466] GetSystemDefaultLangID () returned 0xa20409 [0295.466] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.551] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x357, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x357, lpOverlapped=0x0) returned 1 [0295.551] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.630] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x357, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x357, lpOverlapped=0x0) returned 1 [0295.630] GetProcessHeap () returned 0xa10000 [0295.735] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0295.848] CloseHandle (hObject=0x26c) returned 1 [0295.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0295.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d229c0 | out: hHeap=0x28d0000) returned 1 [0295.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0295.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0295.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xe0) returned 0x28dec00 [0295.904] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), lpNewFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.NEFILIM" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.nefilim")) returned 1 [0295.906] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0295.906] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0295.906] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de970 | out: hHeap=0x28d0000) returned 1 [0295.907] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 0 [0295.907] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0295.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0295.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0295.907] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0295.907] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="SendTo", cAlternateFileName="")) returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="$RECYCLE.BIN") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="NTDETECT.COM") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="ntldr") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="MSDOS.SYS") returned 1 [0295.907] lstrcmpiW (lpString1="SendTo", lpString2="IO.SYS") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="boot.ini") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="AUTOEXEC.BAT") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="desktop.ini") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="CONFIG.SYS") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="RECYCLER") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="BOOTSECT.BAK") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="microsoft") returned 1 [0295.908] lstrcmpiW (lpString1="SendTo", lpString2="sophos") returned -1 [0295.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de900 [0295.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0295.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf8 [0295.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea88 [0295.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0295.908] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\SendTo\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891ᗊ瞛ᝩﲿʍ", cAlternateFileName="ɮ⊺\x01ʍʍ.")) returned 0xffffffff [0295.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0295.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea88 | out: hHeap=0x28d0000) returned 1 [0295.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf8 | out: hHeap=0x28d0000) returned 1 [0295.909] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0295.909] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0295.910] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0295.910] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0295.910] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0295.910] lstrcmpiW (lpString1="Start Menu", lpString2="microsoft") returned 1 [0295.910] lstrcmpiW (lpString1="Start Menu", lpString2="sophos") returned 1 [0295.910] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0295.910] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de900 | out: hHeap=0x28d0000) returned 1 [0295.910] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0295.910] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0295.910] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0295.910] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Start Menu\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x357, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ6")) returned 0xffffffff [0295.910] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0295.910] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0295.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0295.911] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0295.911] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0295.911] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0295.911] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0295.911] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0295.911] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0295.911] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="microsoft") returned 1 [0295.912] lstrcmpiW (lpString1="Templates", lpString2="sophos") returned 1 [0295.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0295.912] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0295.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0295.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0295.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0295.912] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Templates\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x9000009, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x357, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍ4")) returned 0xffffffff [0295.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0295.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0295.913] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0295.913] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe765f877, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe765f877, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Videos", cAlternateFileName="")) returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0295.913] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0295.914] lstrcmpiW (lpString1="Videos", lpString2="microsoft") returned 1 [0295.914] lstrcmpiW (lpString1="Videos", lpString2="sophos") returned 1 [0295.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a8 [0295.914] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0295.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf8 [0295.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c8 [0295.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0295.914] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe765f877, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe765f877, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0295.914] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0295.914] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe765f877, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe765f877, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="..", cAlternateFileName="")) returned 1 [0295.914] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0295.914] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0295.914] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71567470, ftCreationTime.dwHighDateTime=0x1d5e81b, ftLastAccessTime.dwLowDateTime=0xef049160, ftLastAccessTime.dwHighDateTime=0x1d5e733, ftLastWriteTime.dwLowDateTime=0xef049160, ftLastWriteTime.dwHighDateTime=0x1d5e733, nFileSizeHigh=0x0, nFileSizeLow=0x13858, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="59qBxmXq.mp4", cAlternateFileName="")) returned 1 [0295.914] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2=".") returned 1 [0295.914] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="..") returned 1 [0295.914] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="...") returned 1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="windows") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="$RECYCLE.BIN") returned 1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="rsa") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="NTDETECT.COM") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="ntldr") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="MSDOS.SYS") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="IO.SYS") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="boot.ini") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="ntuser.dat") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="desktop.ini") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="CONFIG.SYS") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="RECYCLER") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="BOOTSECT.BAK") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="bootmgr") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="programdata") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="appdata") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="program files") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="program files (x86)") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="microsoft") returned -1 [0295.915] lstrcmpiW (lpString1="59qBxmXq.mp4", lpString2="sophos") returned -1 [0295.915] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de768 [0295.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0295.915] PathFindExtensionW (pszPath="59qBxmXq.mp4") returned=".mp4" [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0295.916] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0295.916] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49f30660, ftCreationTime.dwHighDateTime=0x1d5eb12, ftLastAccessTime.dwLowDateTime=0x7ab6d820, ftLastAccessTime.dwHighDateTime=0x1d5e901, ftLastWriteTime.dwLowDateTime=0x7ab6d820, ftLastWriteTime.dwHighDateTime=0x1d5e901, nFileSizeHigh=0x0, nFileSizeLow=0x4f07, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="8aEkimcETMMtz.mkv", cAlternateFileName="8AEKIM~1.MKV")) returned 1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2=".") returned 1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="..") returned 1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="...") returned 1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="windows") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="$RECYCLE.BIN") returned 1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="rsa") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="NTDETECT.COM") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="ntldr") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="MSDOS.SYS") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="IO.SYS") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="boot.ini") returned -1 [0295.916] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="ntuser.dat") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="desktop.ini") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="CONFIG.SYS") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="RECYCLER") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="BOOTSECT.BAK") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="bootmgr") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="programdata") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="appdata") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="program files") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="program files (x86)") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="microsoft") returned -1 [0295.917] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="sophos") returned -1 [0295.917] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0295.917] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0295.917] PathFindExtensionW (pszPath="8aEkimcETMMtz.mkv") returned=".mkv" [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0295.917] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0295.918] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0295.918] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0295.918] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0295.918] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0295.918] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0295.918] lstrcmpiW (lpString1="8aEkimcETMMtz.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0295.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0295.918] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\8aEkimcETMMtz.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\8aekimcetmmtz.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0295.918] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=20231) returned 1 [0295.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0295.918] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0295.918] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0295.919] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0295.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22288 [0295.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22390 [0295.919] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22288*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22288*, pdwDataLen=0x26eec08*=0x100) returned 1 [0295.919] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22390*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22390*, pdwDataLen=0x26eec04*=0x100) returned 1 [0295.955] GetTickCount () returned 0x118a083 [0295.955] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0295.955] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0295.955] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4f07, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.955] SetLastError (dwErrCode=0x0) [0295.955] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22288*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0295.957] GetLastError () returned 0x0 [0295.957] GetLastError () returned 0x0 [0295.957] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5007, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.957] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22390*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0295.957] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5107, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.957] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd6b77465, dwHighDateTime=0x1d5fd73)) [0295.957] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de788 [0295.957] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0295.957] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0295.958] GetProcessHeap () returned 0xa10000 [0295.958] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4f07) returned 0xa3e6a0 [0295.958] GetSystemDefaultLangID () returned 0xa20409 [0295.958] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.958] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x4f07, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x4f07, lpOverlapped=0x0) returned 1 [0295.959] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.959] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x4f07, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x4f07, lpOverlapped=0x0) returned 1 [0295.960] GetProcessHeap () returned 0xa10000 [0295.960] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0295.961] CloseHandle (hObject=0x26c) returned 1 [0295.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22288 | out: hHeap=0x28d0000) returned 1 [0295.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22390 | out: hHeap=0x28d0000) returned 1 [0295.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0295.962] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0295.962] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0295.962] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\8aEkimcETMMtz.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\8aekimcetmmtz.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\8aEkimcETMMtz.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\8aekimcetmmtz.mkv.nefilim")) returned 1 [0295.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0295.963] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0295.963] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0295.963] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0295.964] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0295.964] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0295.964] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0295.964] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0295.964] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0295.964] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0295.964] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f21480, ftCreationTime.dwHighDateTime=0x1d5ed37, ftLastAccessTime.dwLowDateTime=0x9a50a230, ftLastAccessTime.dwHighDateTime=0x1d5e760, ftLastWriteTime.dwLowDateTime=0x9a50a230, ftLastWriteTime.dwHighDateTime=0x1d5e760, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="Lryq", cAlternateFileName="")) returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2=".") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="..") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="...") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="windows") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="$RECYCLE.BIN") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="rsa") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="NTDETECT.COM") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="ntldr") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="MSDOS.SYS") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="IO.SYS") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="boot.ini") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="AUTOEXEC.BAT") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="ntuser.dat") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="desktop.ini") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="CONFIG.SYS") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="RECYCLER") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="BOOTSECT.BAK") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="bootmgr") returned 1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="programdata") returned -1 [0295.964] lstrcmpiW (lpString1="Lryq", lpString2="appdata") returned 1 [0295.965] lstrcmpiW (lpString1="Lryq", lpString2="program files") returned -1 [0295.965] lstrcmpiW (lpString1="Lryq", lpString2="program files (x86)") returned -1 [0295.965] lstrcmpiW (lpString1="Lryq", lpString2="microsoft") returned -1 [0295.965] lstrcmpiW (lpString1="Lryq", lpString2="sophos") returned -1 [0295.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0295.965] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0295.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de768 [0295.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de7b0 [0295.965] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0295.965] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f21480, ftCreationTime.dwHighDateTime=0x1d5ed37, ftLastAccessTime.dwLowDateTime=0x9a50a230, ftLastAccessTime.dwHighDateTime=0x1d5e760, ftLastWriteTime.dwLowDateTime=0x9a50a230, ftLastWriteTime.dwHighDateTime=0x1d5e760, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f420 [0295.965] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0295.965] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f21480, ftCreationTime.dwHighDateTime=0x1d5ed37, ftLastAccessTime.dwLowDateTime=0x9a50a230, ftLastAccessTime.dwHighDateTime=0x1d5e760, ftLastWriteTime.dwLowDateTime=0x9a50a230, ftLastWriteTime.dwHighDateTime=0x1d5e760, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.967] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0295.967] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0295.967] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61cb7000, ftCreationTime.dwHighDateTime=0x1d5e0e6, ftLastAccessTime.dwLowDateTime=0x7a434cd0, ftLastAccessTime.dwHighDateTime=0x1d5e6f3, ftLastWriteTime.dwLowDateTime=0x7a434cd0, ftLastWriteTime.dwHighDateTime=0x1d5e6f3, nFileSizeHigh=0x0, nFileSizeLow=0x4155, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="2xkjJdCqDtQQ4j5d.mkv", cAlternateFileName="2XKJJD~1.MKV")) returned 1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2=".") returned 1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="..") returned 1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="...") returned 1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="windows") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="$RECYCLE.BIN") returned 1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="rsa") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="NTDETECT.COM") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="ntldr") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="MSDOS.SYS") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="IO.SYS") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="boot.ini") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0295.967] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="ntuser.dat") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="desktop.ini") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="CONFIG.SYS") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="RECYCLER") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="BOOTSECT.BAK") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="bootmgr") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="programdata") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="appdata") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="program files") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="program files (x86)") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="microsoft") returned -1 [0295.968] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="sophos") returned -1 [0295.968] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd08 [0295.968] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0295.968] PathFindExtensionW (pszPath="2xkjJdCqDtQQ4j5d.mkv") returned=".mkv" [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0295.968] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0295.969] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0295.969] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0295.969] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0295.969] lstrcmpiW (lpString1="2xkjJdCqDtQQ4j5d.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0295.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd80 [0295.969] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\2xkjJdCqDtQQ4j5d.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\2xkjjdcqdtqq4j5d.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0295.969] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=16725) returned 1 [0295.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0295.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0295.969] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0295.969] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0295.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0295.969] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22de0 [0295.969] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0295.972] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22de0*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22de0*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0295.974] GetTickCount () returned 0x118a0a3 [0295.974] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0295.974] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0295.974] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4155, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.974] SetLastError (dwErrCode=0x0) [0295.974] WriteFile (in: hFile=0x270, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0295.976] GetLastError () returned 0x0 [0295.976] GetLastError () returned 0x0 [0295.976] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4255, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.976] WriteFile (in: hFile=0x270, lpBuffer=0x2d22de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d22de0*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0295.976] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4355, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd6bc3a3f, dwHighDateTime=0x1d5fd73)) [0295.976] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0295.976] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0295.976] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0295.976] GetProcessHeap () returned 0xa10000 [0295.976] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4155) returned 0xa3f6a8 [0295.976] GetSystemDefaultLangID () returned 0xa20409 [0295.976] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.976] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x4155, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x4155, lpOverlapped=0x0) returned 1 [0295.977] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.977] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x4155, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x4155, lpOverlapped=0x0) returned 1 [0295.978] GetProcessHeap () returned 0xa10000 [0295.978] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0295.978] CloseHandle (hObject=0x270) returned 1 [0295.978] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0295.978] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22de0 | out: hHeap=0x28d0000) returned 1 [0295.978] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0295.978] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0295.978] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0295.978] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\2xkjJdCqDtQQ4j5d.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\2xkjjdcqdtqq4j5d.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\2xkjJdCqDtQQ4j5d.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\2xkjjdcqdtqq4j5d.mkv.nefilim")) returned 1 [0295.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0295.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0295.979] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bfa5ca0, ftCreationTime.dwHighDateTime=0x1d5ecef, ftLastAccessTime.dwLowDateTime=0x87f0a090, ftLastAccessTime.dwHighDateTime=0x1d5efe9, ftLastWriteTime.dwLowDateTime=0x87f0a090, ftLastWriteTime.dwHighDateTime=0x1d5efe9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="E03o_xGG2lhL", cAlternateFileName="E03O_X~1")) returned 1 [0295.979] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2=".") returned 1 [0295.979] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="..") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="...") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="windows") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="$RECYCLE.BIN") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="rsa") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="NTDETECT.COM") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="ntldr") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="MSDOS.SYS") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="IO.SYS") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="boot.ini") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="AUTOEXEC.BAT") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="ntuser.dat") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="desktop.ini") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="CONFIG.SYS") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="RECYCLER") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="BOOTSECT.BAK") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="bootmgr") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="programdata") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="appdata") returned 1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="program files") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="program files (x86)") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="microsoft") returned -1 [0295.980] lstrcmpiW (lpString1="E03o_xGG2lhL", lpString2="sophos") returned -1 [0295.980] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd80 [0295.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd08 | out: hHeap=0x28d0000) returned 1 [0295.980] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0295.980] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbde8 [0295.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbe50 [0295.981] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bfa5ca0, ftCreationTime.dwHighDateTime=0x1d5ecef, ftLastAccessTime.dwLowDateTime=0x87f0a090, ftLastAccessTime.dwHighDateTime=0x1d5efe9, ftLastWriteTime.dwLowDateTime=0x87f0a090, ftLastWriteTime.dwHighDateTime=0x1d5efe9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0295.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0295.981] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bfa5ca0, ftCreationTime.dwHighDateTime=0x1d5ecef, ftLastAccessTime.dwLowDateTime=0x87f0a090, ftLastAccessTime.dwHighDateTime=0x1d5efe9, ftLastWriteTime.dwLowDateTime=0x87f0a090, ftLastWriteTime.dwHighDateTime=0x1d5efe9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0295.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0295.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0295.981] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25d25a40, ftCreationTime.dwHighDateTime=0x1d5e745, ftLastAccessTime.dwLowDateTime=0xf3b34550, ftLastAccessTime.dwHighDateTime=0x1d5e5d3, ftLastWriteTime.dwLowDateTime=0xf3b34550, ftLastWriteTime.dwHighDateTime=0x1d5e5d3, nFileSizeHigh=0x0, nFileSizeLow=0x1444d, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="8NUvNuMnItfpvrnuCR.swf", cAlternateFileName="8NUVNU~1.SWF")) returned 1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2=".") returned 1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="..") returned 1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="...") returned 1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="windows") returned -1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="$RECYCLE.BIN") returned 1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="rsa") returned -1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="NTDETECT.COM") returned -1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="ntldr") returned -1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="MSDOS.SYS") returned -1 [0295.981] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="IO.SYS") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="boot.ini") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="AUTOEXEC.BAT") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="ntuser.dat") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="desktop.ini") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="CONFIG.SYS") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="RECYCLER") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="BOOTSECT.BAK") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="bootmgr") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="programdata") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="appdata") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="program files") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="program files (x86)") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="microsoft") returned -1 [0295.982] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="sophos") returned -1 [0295.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0295.982] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0295.982] PathFindExtensionW (pszPath="8NUvNuMnItfpvrnuCR.swf") returned=".swf" [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0295.982] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0295.983] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0295.983] lstrcmpiW (lpString1="8NUvNuMnItfpvrnuCR.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0295.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe50 [0295.983] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\8NUvNuMnItfpvrnuCR.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\8nuvnumnitfpvrnucr.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0295.983] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=83021) returned 1 [0295.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0295.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0295.983] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0295.984] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0295.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0295.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23620 [0295.984] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0295.984] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23620*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23620*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0295.984] GetTickCount () returned 0x118a0a3 [0295.985] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0295.985] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0295.985] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1444d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.985] SetLastError (dwErrCode=0x0) [0295.985] WriteFile (in: hFile=0x274, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0295.986] GetLastError () returned 0x0 [0295.986] GetLastError () returned 0x0 [0295.986] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1454d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.986] WriteFile (in: hFile=0x274, lpBuffer=0x2d23620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23620*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0295.986] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1464d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.986] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6bc3a3f, dwHighDateTime=0x1d5fd73)) [0295.986] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0295.986] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0295.986] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0295.986] GetProcessHeap () returned 0xa10000 [0295.986] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1444d) returned 0xa406b0 [0295.987] GetSystemDefaultLangID () returned 0xa20409 [0295.987] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0295.987] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x1444d, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x1444d, lpOverlapped=0x0) returned 1 [0296.015] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.015] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x1444d, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x1444d, lpOverlapped=0x0) returned 1 [0296.016] GetProcessHeap () returned 0xa10000 [0296.016] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.016] CloseHandle (hObject=0x274) returned 1 [0296.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0296.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23620 | out: hHeap=0x28d0000) returned 1 [0296.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.016] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.016] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\8NUvNuMnItfpvrnuCR.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\8nuvnumnitfpvrnucr.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\8NUvNuMnItfpvrnuCR.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\8nuvnumnitfpvrnucr.swf.nefilim")) returned 1 [0296.018] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.018] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0296.018] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c2c3130, ftCreationTime.dwHighDateTime=0x1d5ecbe, ftLastAccessTime.dwLowDateTime=0x5ca9bb90, ftLastAccessTime.dwHighDateTime=0x1d5e64f, ftLastWriteTime.dwLowDateTime=0x5ca9bb90, ftLastWriteTime.dwHighDateTime=0x1d5e64f, nFileSizeHigh=0x0, nFileSizeLow=0x116f4, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="gBC4XFdkf.mkv", cAlternateFileName="GBC4XF~1.MKV")) returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2=".") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="..") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="...") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="windows") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="$RECYCLE.BIN") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="rsa") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="NTDETECT.COM") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="ntldr") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="MSDOS.SYS") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="IO.SYS") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="boot.ini") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="ntuser.dat") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="desktop.ini") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="CONFIG.SYS") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="RECYCLER") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="BOOTSECT.BAK") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="bootmgr") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="programdata") returned -1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="appdata") returned 1 [0296.018] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="program files") returned -1 [0296.019] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="program files (x86)") returned -1 [0296.019] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="microsoft") returned -1 [0296.019] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="sophos") returned -1 [0296.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe50 [0296.019] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.019] PathFindExtensionW (pszPath="gBC4XFdkf.mkv") returned=".mkv" [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0296.019] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0296.019] lstrcmpiW (lpString1="gBC4XFdkf.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.019] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dec00 [0296.019] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\gBC4XFdkf.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\gbc4xfdkf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.022] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=71412) returned 1 [0296.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.022] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.022] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0296.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0296.022] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.024] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.027] GetTickCount () returned 0x118a0d2 [0296.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb68 [0296.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb68 | out: hHeap=0x28d0000) returned 1 [0296.027] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x116f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.027] SetLastError (dwErrCode=0x0) [0296.027] WriteFile (in: hFile=0x274, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.028] GetLastError () returned 0x0 [0296.028] GetLastError () returned 0x0 [0296.028] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x117f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.028] WriteFile (in: hFile=0x274, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.028] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x118f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.028] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6c3607f, dwHighDateTime=0x1d5fd73)) [0296.028] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0296.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0296.028] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.028] GetProcessHeap () returned 0xa10000 [0296.028] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x116f4) returned 0xa406b0 [0296.029] GetSystemDefaultLangID () returned 0xa20409 [0296.029] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.029] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x116f4, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x116f4, lpOverlapped=0x0) returned 1 [0296.034] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.034] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x116f4, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x116f4, lpOverlapped=0x0) returned 1 [0296.034] GetProcessHeap () returned 0xa10000 [0296.034] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.034] CloseHandle (hObject=0x274) returned 1 [0296.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0296.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0296.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec78 [0296.035] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\gBC4XFdkf.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\gbc4xfdkf.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\gBC4XFdkf.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\gbc4xfdkf.mkv.nefilim")) returned 1 [0296.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec78 | out: hHeap=0x28d0000) returned 1 [0296.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.036] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5641e020, ftCreationTime.dwHighDateTime=0x1d5e5a5, ftLastAccessTime.dwLowDateTime=0xcc22a650, ftLastAccessTime.dwHighDateTime=0x1d5e4a4, ftLastWriteTime.dwLowDateTime=0xcc22a650, ftLastWriteTime.dwHighDateTime=0x1d5e4a4, nFileSizeHigh=0x0, nFileSizeLow=0x18a6, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="PCNC3V9bnYes2hlgVEkD.mp4", cAlternateFileName="PCNC3V~1.MP4")) returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2=".") returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="..") returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="...") returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="windows") returned -1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="$RECYCLE.BIN") returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="rsa") returned -1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="NTDETECT.COM") returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="ntldr") returned 1 [0296.036] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="MSDOS.SYS") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="IO.SYS") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="boot.ini") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="ntuser.dat") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="desktop.ini") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="CONFIG.SYS") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="RECYCLER") returned -1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="BOOTSECT.BAK") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="bootmgr") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="programdata") returned -1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="appdata") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="program files") returned -1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="program files (x86)") returned -1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="microsoft") returned 1 [0296.037] lstrcmpiW (lpString1="PCNC3V9bnYes2hlgVEkD.mp4", lpString2="sophos") returned -1 [0296.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0296.037] PathFindExtensionW (pszPath="PCNC3V9bnYes2hlgVEkD.mp4") returned=".mp4" [0296.037] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0296.037] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0296.037] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0296.037] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0296.038] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0296.038] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64a79800, ftCreationTime.dwHighDateTime=0x1d5e3d2, ftLastAccessTime.dwLowDateTime=0xa9cfb8e0, ftLastAccessTime.dwHighDateTime=0x1d5ed5a, ftLastWriteTime.dwLowDateTime=0xa9cfb8e0, ftLastWriteTime.dwHighDateTime=0x1d5ed5a, nFileSizeHigh=0x0, nFileSizeLow=0x7382, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="_4uOXTKlwn1 RRDsW.avi", cAlternateFileName="_4UOXT~1.AVI")) returned 1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2=".") returned 1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="..") returned 1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="...") returned 1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="windows") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="$RECYCLE.BIN") returned 1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="rsa") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="NTDETECT.COM") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="ntldr") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="MSDOS.SYS") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="IO.SYS") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="boot.ini") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="AUTOEXEC.BAT") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="ntuser.dat") returned -1 [0296.038] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="desktop.ini") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="CONFIG.SYS") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="RECYCLER") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="BOOTSECT.BAK") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="bootmgr") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="programdata") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="appdata") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="program files") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="program files (x86)") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="microsoft") returned -1 [0296.039] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="sophos") returned -1 [0296.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe50 [0296.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.039] PathFindExtensionW (pszPath="_4uOXTKlwn1 RRDsW.avi") returned=".avi" [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0296.039] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0296.040] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0296.040] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0296.040] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0296.040] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0296.040] lstrcmpiW (lpString1="_4uOXTKlwn1 RRDsW.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.040] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\_4uOXTKlwn1 RRDsW.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\_4uoxtklwn1 rrdsw.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.040] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=29570) returned 1 [0296.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.040] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.041] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0296.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23200 [0296.041] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.041] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23200*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23200*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.041] GetTickCount () returned 0x118a0e1 [0296.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deba0 [0296.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deba0 | out: hHeap=0x28d0000) returned 1 [0296.041] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7382, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.042] SetLastError (dwErrCode=0x0) [0296.042] WriteFile (in: hFile=0x274, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.043] GetLastError () returned 0x0 [0296.043] GetLastError () returned 0x0 [0296.043] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7482, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.043] WriteFile (in: hFile=0x274, lpBuffer=0x2d23200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23200*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.043] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7582, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.043] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6c5cb21, dwHighDateTime=0x1d5fd73)) [0296.043] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0296.043] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0296.043] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.043] GetProcessHeap () returned 0xa10000 [0296.043] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x7382) returned 0xa406b0 [0296.043] GetSystemDefaultLangID () returned 0xa20409 [0296.043] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.043] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x7382, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x7382, lpOverlapped=0x0) returned 1 [0296.045] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.045] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x7382, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x7382, lpOverlapped=0x0) returned 1 [0296.046] GetProcessHeap () returned 0xa10000 [0296.046] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.048] CloseHandle (hObject=0x274) returned 1 [0296.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0296.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23200 | out: hHeap=0x28d0000) returned 1 [0296.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.048] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\_4uOXTKlwn1 RRDsW.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\_4uoxtklwn1 rrdsw.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\E03o_xGG2lhL\\_4uOXTKlwn1 RRDsW.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\e03o_xgg2lhl\\_4uoxtklwn1 rrdsw.avi.nefilim")) returned 1 [0296.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.049] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64a79800, ftCreationTime.dwHighDateTime=0x1d5e3d2, ftLastAccessTime.dwLowDateTime=0xa9cfb8e0, ftLastAccessTime.dwHighDateTime=0x1d5ed5a, ftLastWriteTime.dwLowDateTime=0xa9cfb8e0, ftLastWriteTime.dwHighDateTime=0x1d5ed5a, nFileSizeHigh=0x0, nFileSizeLow=0x7382, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="_4uOXTKlwn1 RRDsW.avi", cAlternateFileName="_4UOXT~1.AVI")) returned 0 [0296.049] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0296.051] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe50 | out: hHeap=0x28d0000) returned 1 [0296.056] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde8 | out: hHeap=0x28d0000) returned 1 [0296.056] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0296.056] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9c66ce0, ftCreationTime.dwHighDateTime=0x1d5eaf1, ftLastAccessTime.dwLowDateTime=0x67952700, ftLastAccessTime.dwHighDateTime=0x1d5ef83, ftLastWriteTime.dwLowDateTime=0x67952700, ftLastWriteTime.dwHighDateTime=0x1d5ef83, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="jxqy5hmca f5sSN9l", cAlternateFileName="JXQY5H~1")) returned 1 [0296.056] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2=".") returned 1 [0296.056] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="..") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="...") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="windows") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="$RECYCLE.BIN") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="rsa") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="NTDETECT.COM") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="ntldr") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="MSDOS.SYS") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="IO.SYS") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="boot.ini") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="AUTOEXEC.BAT") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="ntuser.dat") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="desktop.ini") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="CONFIG.SYS") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="RECYCLER") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="BOOTSECT.BAK") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="bootmgr") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="programdata") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="appdata") returned 1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="program files") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="program files (x86)") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="microsoft") returned -1 [0296.057] lstrcmpiW (lpString1="jxqy5hmca f5sSN9l", lpString2="sophos") returned -1 [0296.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0296.057] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0296.057] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0296.058] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd90 [0296.058] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdf8 [0296.058] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9c66ce0, ftCreationTime.dwHighDateTime=0x1d5eaf1, ftLastAccessTime.dwLowDateTime=0x67952700, ftLastAccessTime.dwHighDateTime=0x1d5ef83, ftLastWriteTime.dwLowDateTime=0x67952700, ftLastWriteTime.dwHighDateTime=0x1d5ef83, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0296.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0296.058] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9c66ce0, ftCreationTime.dwHighDateTime=0x1d5eaf1, ftLastAccessTime.dwLowDateTime=0x67952700, ftLastAccessTime.dwHighDateTime=0x1d5ef83, ftLastWriteTime.dwLowDateTime=0x67952700, ftLastWriteTime.dwHighDateTime=0x1d5ef83, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0296.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0296.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0296.058] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b2b9ae0, ftCreationTime.dwHighDateTime=0x1d5ed65, ftLastAccessTime.dwLowDateTime=0x9128d900, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x9128d900, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x698a, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="3 Zvwqh.mkv", cAlternateFileName="3ZVWQH~1.MKV")) returned 1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2=".") returned 1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="..") returned 1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="...") returned 1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="windows") returned -1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="$RECYCLE.BIN") returned 1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="rsa") returned -1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="NTDETECT.COM") returned -1 [0296.058] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="ntldr") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="MSDOS.SYS") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="IO.SYS") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="boot.ini") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="ntuser.dat") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="desktop.ini") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="CONFIG.SYS") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="RECYCLER") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="BOOTSECT.BAK") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="bootmgr") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="programdata") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="appdata") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="program files") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="program files (x86)") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="microsoft") returned -1 [0296.059] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="sophos") returned -1 [0296.059] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe70 [0296.059] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.059] PathFindExtensionW (pszPath="3 Zvwqh.mkv") returned=".mkv" [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0296.059] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0296.060] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0296.060] lstrcmpiW (lpString1="3 Zvwqh.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.060] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\3 Zvwqh.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\3 zvwqh.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.060] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=27018) returned 1 [0296.060] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.060] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.060] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.061] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.061] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0296.061] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22288 [0296.061] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.061] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22288*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22288*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.062] GetTickCount () returned 0x118a0f1 [0296.062] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0296.062] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0296.062] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x698a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.062] SetLastError (dwErrCode=0x0) [0296.062] WriteFile (in: hFile=0x274, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.063] GetLastError () returned 0x0 [0296.063] GetLastError () returned 0x0 [0296.063] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6a8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.063] WriteFile (in: hFile=0x274, lpBuffer=0x2d22288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22288*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.063] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6b8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.063] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6c8261c, dwHighDateTime=0x1d5fd73)) [0296.063] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdf8 [0296.063] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.064] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.064] GetProcessHeap () returned 0xa10000 [0296.064] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x698a) returned 0xa406b0 [0296.064] GetSystemDefaultLangID () returned 0xa20409 [0296.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.064] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x698a, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x698a, lpOverlapped=0x0) returned 1 [0296.066] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.066] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x698a, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x698a, lpOverlapped=0x0) returned 1 [0296.066] GetProcessHeap () returned 0xa10000 [0296.066] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.116] CloseHandle (hObject=0x274) returned 1 [0296.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0296.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22288 | out: hHeap=0x28d0000) returned 1 [0296.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.117] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\3 Zvwqh.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\3 zvwqh.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\3 Zvwqh.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\3 zvwqh.mkv.nefilim")) returned 1 [0296.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.118] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11bb080, ftCreationTime.dwHighDateTime=0x1d5e25d, ftLastAccessTime.dwLowDateTime=0xe582c5a0, ftLastAccessTime.dwHighDateTime=0x1d5e853, ftLastWriteTime.dwLowDateTime=0xe582c5a0, ftLastWriteTime.dwHighDateTime=0x1d5e853, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="aDa1g YCHRONte", cAlternateFileName="ADA1GY~1")) returned 1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2=".") returned 1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="..") returned 1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="...") returned 1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="windows") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="$RECYCLE.BIN") returned 1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="rsa") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="NTDETECT.COM") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="ntldr") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="MSDOS.SYS") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="IO.SYS") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="boot.ini") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="AUTOEXEC.BAT") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="ntuser.dat") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="desktop.ini") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="CONFIG.SYS") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="RECYCLER") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="BOOTSECT.BAK") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="bootmgr") returned -1 [0296.118] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="programdata") returned -1 [0296.119] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="appdata") returned -1 [0296.119] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="program files") returned -1 [0296.119] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="program files (x86)") returned -1 [0296.119] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="microsoft") returned -1 [0296.119] lstrcmpiW (lpString1="aDa1g YCHRONte", lpString2="sophos") returned -1 [0296.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.119] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0296.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0296.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe80 [0296.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.119] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\*.*", lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11bb080, ftCreationTime.dwHighDateTime=0x1d5e25d, ftLastAccessTime.dwLowDateTime=0xe582c5a0, ftLastAccessTime.dwHighDateTime=0x1d5e853, ftLastWriteTime.dwLowDateTime=0xe582c5a0, ftLastWriteTime.dwHighDateTime=0x1d5e853, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName=".", cAlternateFileName="")) returned 0xa2f620 [0296.119] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0296.119] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11bb080, ftCreationTime.dwHighDateTime=0x1d5e25d, ftLastAccessTime.dwLowDateTime=0xe582c5a0, ftLastAccessTime.dwHighDateTime=0x1d5e853, ftLastWriteTime.dwLowDateTime=0xe582c5a0, ftLastWriteTime.dwHighDateTime=0x1d5e853, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="..", cAlternateFileName="")) returned 1 [0296.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0296.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0296.121] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2faf7580, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0x247cc370, ftLastAccessTime.dwHighDateTime=0x1d5e523, ftLastWriteTime.dwLowDateTime=0x247cc370, ftLastWriteTime.dwHighDateTime=0x1d5e523, nFileSizeHigh=0x0, nFileSizeLow=0xa89c, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="6h0-y.flv", cAlternateFileName="")) returned 1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2=".") returned 1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="..") returned 1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="...") returned 1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="windows") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="$RECYCLE.BIN") returned 1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="rsa") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="NTDETECT.COM") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="ntldr") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="MSDOS.SYS") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="IO.SYS") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="boot.ini") returned -1 [0296.121] lstrcmpiW (lpString1="6h0-y.flv", lpString2="AUTOEXEC.BAT") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="ntuser.dat") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="desktop.ini") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="CONFIG.SYS") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="RECYCLER") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="BOOTSECT.BAK") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="bootmgr") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="programdata") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="appdata") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="program files") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="program files (x86)") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="microsoft") returned -1 [0296.122] lstrcmpiW (lpString1="6h0-y.flv", lpString2="sophos") returned -1 [0296.122] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded20 [0296.122] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.122] PathFindExtensionW (pszPath="6h0-y.flv") returned=".flv" [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0296.122] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0296.123] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0296.123] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0296.123] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0296.123] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0296.123] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0296.123] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0296.123] lstrcmpiW (lpString1="6h0-y.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.123] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\6h0-y.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\6h0-y.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0296.123] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=43164) returned 1 [0296.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.123] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.123] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.123] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d225a0 [0296.124] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0296.124] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d225a0*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d225a0*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0296.124] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0296.125] GetTickCount () returned 0x118a12f [0296.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de820 [0296.125] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0296.125] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xa89c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.125] SetLastError (dwErrCode=0x0) [0296.125] WriteFile (in: hFile=0x278, lpBuffer=0x2d225a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d225a0*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.126] GetLastError () returned 0x0 [0296.126] GetLastError () returned 0x0 [0296.126] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xa99c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.126] WriteFile (in: hFile=0x278, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.126] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xaa9c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.126] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd6d1af18, dwHighDateTime=0x1d5fd73)) [0296.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dedb8 [0296.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb8 | out: hHeap=0x28d0000) returned 1 [0296.127] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0296.127] GetProcessHeap () returned 0xa10000 [0296.127] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa89c) returned 0xa416b8 [0296.127] GetSystemDefaultLangID () returned 0xa20409 [0296.127] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.127] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0xa89c, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0xa89c, lpOverlapped=0x0) returned 1 [0296.130] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.130] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0xa89c, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0xa89c, lpOverlapped=0x0) returned 1 [0296.131] GetProcessHeap () returned 0xa10000 [0296.131] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0296.131] CloseHandle (hObject=0x278) returned 1 [0296.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d225a0 | out: hHeap=0x28d0000) returned 1 [0296.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0296.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dedb8 [0296.131] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\6h0-y.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\6h0-y.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\6h0-y.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\6h0-y.flv.nefilim")) returned 1 [0296.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb8 | out: hHeap=0x28d0000) returned 1 [0296.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.132] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc61638d0, ftCreationTime.dwHighDateTime=0x1d5ec33, ftLastAccessTime.dwLowDateTime=0x24757330, ftLastAccessTime.dwHighDateTime=0x1d5e5a1, ftLastWriteTime.dwLowDateTime=0x24757330, ftLastWriteTime.dwHighDateTime=0x1d5e5a1, nFileSizeHigh=0x0, nFileSizeLow=0x1684d, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="a93SFt.mkv", cAlternateFileName="")) returned 1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2=".") returned 1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="..") returned 1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="...") returned 1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="windows") returned -1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="$RECYCLE.BIN") returned 1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="rsa") returned -1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="NTDETECT.COM") returned -1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="ntldr") returned -1 [0296.132] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="MSDOS.SYS") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="IO.SYS") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="boot.ini") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="ntuser.dat") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="desktop.ini") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="CONFIG.SYS") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="RECYCLER") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="BOOTSECT.BAK") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="bootmgr") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="programdata") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="appdata") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="program files") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="program files (x86)") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="microsoft") returned -1 [0296.133] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="sophos") returned -1 [0296.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.133] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded20 | out: hHeap=0x28d0000) returned 1 [0296.133] PathFindExtensionW (pszPath="a93SFt.mkv") returned=".mkv" [0296.133] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0296.133] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0296.133] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0296.133] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0296.133] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0296.133] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0296.134] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0296.134] lstrcmpiW (lpString1="a93SFt.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28ded20 [0296.134] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\a93SFt.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\a93sft.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0296.134] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=92237) returned 1 [0296.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.135] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.135] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22390 [0296.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22180 [0296.135] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22390*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22390*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0296.137] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22180*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22180*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0296.139] GetTickCount () returned 0x118a13f [0296.139] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0296.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0296.139] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1684d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.139] SetLastError (dwErrCode=0x0) [0296.139] WriteFile (in: hFile=0x278, lpBuffer=0x2d22390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d22390*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.140] GetLastError () returned 0x0 [0296.140] GetLastError () returned 0x0 [0296.140] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1694d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.140] WriteFile (in: hFile=0x278, lpBuffer=0x2d22180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d22180*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.140] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16a4d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.140] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd6d411bf, dwHighDateTime=0x1d5fd73)) [0296.140] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dedb8 [0296.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb8 | out: hHeap=0x28d0000) returned 1 [0296.141] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0296.141] GetProcessHeap () returned 0xa10000 [0296.141] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1684d) returned 0xa416b8 [0296.141] GetSystemDefaultLangID () returned 0xa20409 [0296.141] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.141] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x1684d, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x1684d, lpOverlapped=0x0) returned 1 [0296.162] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.162] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x1684d, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x1684d, lpOverlapped=0x0) returned 1 [0296.163] GetProcessHeap () returned 0xa10000 [0296.163] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0296.163] CloseHandle (hObject=0x278) returned 1 [0296.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22390 | out: hHeap=0x28d0000) returned 1 [0296.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22180 | out: hHeap=0x28d0000) returned 1 [0296.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.163] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.163] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dedb8 [0296.163] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\a93SFt.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\a93sft.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\a93SFt.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\a93sft.mkv.nefilim")) returned 1 [0296.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedb8 | out: hHeap=0x28d0000) returned 1 [0296.164] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded20 | out: hHeap=0x28d0000) returned 1 [0296.164] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e8c0bd0, ftCreationTime.dwHighDateTime=0x1d5e9b3, ftLastAccessTime.dwLowDateTime=0xcacaa1b0, ftLastAccessTime.dwHighDateTime=0x1d5e286, ftLastWriteTime.dwLowDateTime=0xcacaa1b0, ftLastWriteTime.dwHighDateTime=0x1d5e286, nFileSizeHigh=0x0, nFileSizeLow=0xe592, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="EKoM--sktM.mp4", cAlternateFileName="EKOM--~1.MP4")) returned 1 [0296.164] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2=".") returned 1 [0296.164] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="..") returned 1 [0296.164] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="...") returned 1 [0296.164] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="windows") returned -1 [0296.164] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="$RECYCLE.BIN") returned 1 [0296.164] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="rsa") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="NTDETECT.COM") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="ntldr") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="MSDOS.SYS") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="IO.SYS") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="boot.ini") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="ntuser.dat") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="desktop.ini") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="CONFIG.SYS") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="RECYCLER") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="BOOTSECT.BAK") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="bootmgr") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="programdata") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="appdata") returned 1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="program files") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="program files (x86)") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="microsoft") returned -1 [0296.165] lstrcmpiW (lpString1="EKoM--sktM.mp4", lpString2="sophos") returned -1 [0296.165] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded20 [0296.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.165] PathFindExtensionW (pszPath="EKoM--sktM.mp4") returned=".mp4" [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0296.166] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0296.166] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd361e000, ftCreationTime.dwHighDateTime=0x1d5e640, ftLastAccessTime.dwLowDateTime=0xcfdce8e0, ftLastAccessTime.dwHighDateTime=0x1d5eb2b, ftLastWriteTime.dwLowDateTime=0xcfdce8e0, ftLastWriteTime.dwHighDateTime=0x1d5eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x179fd, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="L7wYSQv.mp4", cAlternateFileName="")) returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2=".") returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="..") returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="...") returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="windows") returned -1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="$RECYCLE.BIN") returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="rsa") returned -1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="NTDETECT.COM") returned -1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="ntldr") returned -1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="MSDOS.SYS") returned -1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="IO.SYS") returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="boot.ini") returned 1 [0296.167] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="ntuser.dat") returned -1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="desktop.ini") returned 1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="CONFIG.SYS") returned 1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="RECYCLER") returned -1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="BOOTSECT.BAK") returned 1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="bootmgr") returned 1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="programdata") returned -1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="appdata") returned 1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="program files") returned -1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="program files (x86)") returned -1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="microsoft") returned -1 [0296.168] lstrcmpiW (lpString1="L7wYSQv.mp4", lpString2="sophos") returned -1 [0296.169] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dedc8 [0296.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded20 | out: hHeap=0x28d0000) returned 1 [0296.169] PathFindExtensionW (pszPath="L7wYSQv.mp4") returned=".mp4" [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0296.169] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0296.170] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0296.170] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0296.170] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0296.170] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0296.170] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x537a09b0, ftCreationTime.dwHighDateTime=0x1d5e449, ftLastAccessTime.dwLowDateTime=0x6fdde210, ftLastAccessTime.dwHighDateTime=0x1d5e495, ftLastWriteTime.dwLowDateTime=0x6fdde210, ftLastWriteTime.dwHighDateTime=0x1d5e495, nFileSizeHigh=0x0, nFileSizeLow=0x760a, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="qFBHHOqwQlS.swf", cAlternateFileName="QFBHHO~1.SWF")) returned 1 [0296.170] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2=".") returned 1 [0296.170] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="..") returned 1 [0296.170] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="...") returned 1 [0296.170] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="windows") returned -1 [0296.170] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="$RECYCLE.BIN") returned 1 [0296.170] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="rsa") returned -1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="NTDETECT.COM") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="ntldr") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="MSDOS.SYS") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="IO.SYS") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="boot.ini") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="AUTOEXEC.BAT") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="ntuser.dat") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="desktop.ini") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="CONFIG.SYS") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="RECYCLER") returned -1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="BOOTSECT.BAK") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="bootmgr") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="programdata") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="appdata") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="program files") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="program files (x86)") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="microsoft") returned 1 [0296.171] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="sophos") returned -1 [0296.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec88 [0296.172] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedc8 | out: hHeap=0x28d0000) returned 1 [0296.172] PathFindExtensionW (pszPath="qFBHHOqwQlS.swf") returned=".swf" [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0296.172] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0296.172] lstrcmpiW (lpString1="qFBHHOqwQlS.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded30 [0296.173] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\qFBHHOqwQlS.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\qfbhhoqwqls.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0296.173] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=30218) returned 1 [0296.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.173] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.173] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0296.173] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22180 [0296.173] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0296.174] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22180*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22180*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0296.174] GetTickCount () returned 0x118a15e [0296.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de820 [0296.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0296.174] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x760a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.174] SetLastError (dwErrCode=0x0) [0296.174] WriteFile (in: hFile=0x278, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.175] GetLastError () returned 0x0 [0296.176] GetLastError () returned 0x0 [0296.176] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x770a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.176] WriteFile (in: hFile=0x278, lpBuffer=0x2d22180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d22180*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.176] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x780a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.177] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd6db389a, dwHighDateTime=0x1d5fd73)) [0296.177] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dedd8 [0296.177] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd8 | out: hHeap=0x28d0000) returned 1 [0296.177] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0296.177] GetProcessHeap () returned 0xa10000 [0296.177] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x760a) returned 0xa416b8 [0296.177] GetSystemDefaultLangID () returned 0xa20409 [0296.177] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.177] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x760a, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x760a, lpOverlapped=0x0) returned 1 [0296.179] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.179] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x760a, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x760a, lpOverlapped=0x0) returned 1 [0296.180] GetProcessHeap () returned 0xa10000 [0296.180] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0296.180] CloseHandle (hObject=0x278) returned 1 [0296.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0296.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22180 | out: hHeap=0x28d0000) returned 1 [0296.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dedd8 [0296.180] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\qFBHHOqwQlS.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\qfbhhoqwqls.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\qFBHHOqwQlS.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\qfbhhoqwqls.swf.nefilim")) returned 1 [0296.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd8 | out: hHeap=0x28d0000) returned 1 [0296.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded30 | out: hHeap=0x28d0000) returned 1 [0296.181] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc070fd0, ftCreationTime.dwHighDateTime=0x1d5ee88, ftLastAccessTime.dwLowDateTime=0x93d91580, ftLastAccessTime.dwHighDateTime=0x1d5e90a, ftLastWriteTime.dwLowDateTime=0x93d91580, ftLastWriteTime.dwHighDateTime=0x1d5e90a, nFileSizeHigh=0x0, nFileSizeLow=0x12b9f, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="S Uw9C-.swf", cAlternateFileName="SUW9C-~1.SWF")) returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2=".") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="..") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="...") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="windows") returned -1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="$RECYCLE.BIN") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="rsa") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="NTDETECT.COM") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="ntldr") returned 1 [0296.181] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="MSDOS.SYS") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="IO.SYS") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="boot.ini") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="AUTOEXEC.BAT") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="ntuser.dat") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="desktop.ini") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="CONFIG.SYS") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="RECYCLER") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="BOOTSECT.BAK") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="bootmgr") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="programdata") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="appdata") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="program files") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="program files (x86)") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="microsoft") returned 1 [0296.182] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="sophos") returned -1 [0296.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded30 [0296.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.182] PathFindExtensionW (pszPath="S Uw9C-.swf") returned=".swf" [0296.182] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0296.182] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0296.182] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0296.182] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0296.183] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0296.183] lstrcmpiW (lpString1="S Uw9C-.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.183] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec88 [0296.183] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\S Uw9C-.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\s uw9c-.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0296.183] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=76703) returned 1 [0296.183] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.184] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.184] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23a40 [0296.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d228b8 [0296.184] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23a40*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23a40*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0296.186] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d228b8*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d228b8*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0296.188] GetTickCount () returned 0x118a16e [0296.188] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deba0 [0296.188] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deba0 | out: hHeap=0x28d0000) returned 1 [0296.188] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x12b9f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.188] SetLastError (dwErrCode=0x0) [0296.188] WriteFile (in: hFile=0x278, lpBuffer=0x2d23a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d23a40*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.190] GetLastError () returned 0x0 [0296.190] GetLastError () returned 0x0 [0296.190] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x12c9f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.190] WriteFile (in: hFile=0x278, lpBuffer=0x2d228b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d228b8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.190] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x12d9f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.191] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd6db389a, dwHighDateTime=0x1d5fd73)) [0296.191] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dedd8 [0296.191] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd8 | out: hHeap=0x28d0000) returned 1 [0296.191] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0296.191] GetProcessHeap () returned 0xa10000 [0296.191] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12b9f) returned 0xa416b8 [0296.191] GetSystemDefaultLangID () returned 0xa20409 [0296.191] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.191] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0x12b9f, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0x12b9f, lpOverlapped=0x0) returned 1 [0296.214] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.214] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0x12b9f, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0x12b9f, lpOverlapped=0x0) returned 1 [0296.215] GetProcessHeap () returned 0xa10000 [0296.215] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0296.215] CloseHandle (hObject=0x278) returned 1 [0296.215] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23a40 | out: hHeap=0x28d0000) returned 1 [0296.215] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d228b8 | out: hHeap=0x28d0000) returned 1 [0296.215] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.215] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.215] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dedd8 [0296.215] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\S Uw9C-.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\s uw9c-.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\S Uw9C-.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\s uw9c-.swf.nefilim")) returned 1 [0296.217] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd8 | out: hHeap=0x28d0000) returned 1 [0296.217] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.217] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d8dc680, ftCreationTime.dwHighDateTime=0x1d5ed67, ftLastAccessTime.dwLowDateTime=0x55bd6d40, ftLastAccessTime.dwHighDateTime=0x1d5e5fa, ftLastWriteTime.dwLowDateTime=0x55bd6d40, ftLastWriteTime.dwHighDateTime=0x1d5e5fa, nFileSizeHigh=0x0, nFileSizeLow=0xd438, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="VHisUoiGiA.flv", cAlternateFileName="VHISUO~1.FLV")) returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2=".") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="..") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="...") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="windows") returned -1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="$RECYCLE.BIN") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="rsa") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="NTDETECT.COM") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="ntldr") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="MSDOS.SYS") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="IO.SYS") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="boot.ini") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="AUTOEXEC.BAT") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="ntuser.dat") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="desktop.ini") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="CONFIG.SYS") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="RECYCLER") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="BOOTSECT.BAK") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="bootmgr") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="programdata") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="appdata") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="program files") returned 1 [0296.217] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="program files (x86)") returned 1 [0296.218] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="microsoft") returned 1 [0296.218] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="sophos") returned 1 [0296.218] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec88 [0296.218] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded30 | out: hHeap=0x28d0000) returned 1 [0296.218] PathFindExtensionW (pszPath="VHisUoiGiA.flv") returned=".flv" [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0296.218] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0296.218] lstrcmpiW (lpString1="VHisUoiGiA.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.218] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded30 [0296.218] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\VHisUoiGiA.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\vhisuoigia.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0296.219] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x26ee2e8 | out: lpFileSize=0x26ee2e8*=54328) returned 1 [0296.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.219] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.219] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d226a8 [0296.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23e60 [0296.219] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d226a8*, pdwDataLen=0x26ee2a8*=0x10, dwBufLen=0x100 | out: pbData=0x2d226a8*, pdwDataLen=0x26ee2a8*=0x100) returned 1 [0296.220] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23e60*, pdwDataLen=0x26ee2a4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23e60*, pdwDataLen=0x26ee2a4*=0x100) returned 1 [0296.220] GetTickCount () returned 0x118a18d [0296.220] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea18 [0296.220] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea18 | out: hHeap=0x28d0000) returned 1 [0296.220] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd438, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.220] SetLastError (dwErrCode=0x0) [0296.220] WriteFile (in: hFile=0x278, lpBuffer=0x2d226a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d226a8*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.221] GetLastError () returned 0x0 [0296.221] GetLastError () returned 0x0 [0296.221] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd538, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.221] WriteFile (in: hFile=0x278, lpBuffer=0x2d23e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x2d23e60*, lpNumberOfBytesWritten=0x26ee300*=0x100, lpOverlapped=0x0) returned 1 [0296.221] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd638, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.222] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee2bc | out: lpSystemTimeAsFileTime=0x26ee2bc*(dwLowDateTime=0xd6dffd6f, dwHighDateTime=0x1d5fd73)) [0296.222] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dedd8 [0296.222] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd8 | out: hHeap=0x28d0000) returned 1 [0296.222] WriteFile (in: hFile=0x278, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee300*=0x7, lpOverlapped=0x0) returned 1 [0296.222] GetProcessHeap () returned 0xa10000 [0296.222] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xd438) returned 0xa416b8 [0296.222] GetSystemDefaultLangID () returned 0xa20409 [0296.222] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.222] ReadFile (in: hFile=0x278, lpBuffer=0xa416b8, nNumberOfBytesToRead=0xd438, lpNumberOfBytesRead=0x26ee30c, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesRead=0x26ee30c*=0xd438, lpOverlapped=0x0) returned 1 [0296.229] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.229] WriteFile (in: hFile=0x278, lpBuffer=0xa416b8*, nNumberOfBytesToWrite=0xd438, lpNumberOfBytesWritten=0x26ee300, lpOverlapped=0x0 | out: lpBuffer=0xa416b8*, lpNumberOfBytesWritten=0x26ee300*=0xd438, lpOverlapped=0x0) returned 1 [0296.229] GetProcessHeap () returned 0xa10000 [0296.229] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa416b8 | out: hHeap=0xa10000) returned 1 [0296.231] CloseHandle (hObject=0x278) returned 1 [0296.231] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d226a8 | out: hHeap=0x28d0000) returned 1 [0296.231] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23e60 | out: hHeap=0x28d0000) returned 1 [0296.231] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.231] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.231] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xb0) returned 0x28dedd8 [0296.231] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\VHisUoiGiA.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\vhisuoigia.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\aDa1g YCHRONte\\VHisUoiGiA.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\ada1g ychronte\\vhisuoigia.flv.nefilim")) returned 1 [0296.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dedd8 | out: hHeap=0x28d0000) returned 1 [0296.232] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded30 | out: hHeap=0x28d0000) returned 1 [0296.232] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4fc4e0, ftCreationTime.dwHighDateTime=0x1d5e3a3, ftLastAccessTime.dwLowDateTime=0xc795e40, ftLastAccessTime.dwHighDateTime=0x1d5e1d2, ftLastWriteTime.dwLowDateTime=0xc795e40, ftLastWriteTime.dwHighDateTime=0x1d5e1d2, nFileSizeHigh=0x0, nFileSizeLow=0xd40c, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="XMNGUcRKT.mp4", cAlternateFileName="XMNGUC~1.MP4")) returned 1 [0296.232] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2=".") returned 1 [0296.232] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="..") returned 1 [0296.232] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="...") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="windows") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="$RECYCLE.BIN") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="rsa") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="NTDETECT.COM") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="ntldr") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="MSDOS.SYS") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="IO.SYS") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="boot.ini") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="ntuser.dat") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="desktop.ini") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="CONFIG.SYS") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="RECYCLER") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="BOOTSECT.BAK") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="bootmgr") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="programdata") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="appdata") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="program files") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="program files (x86)") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="microsoft") returned 1 [0296.233] lstrcmpiW (lpString1="XMNGUcRKT.mp4", lpString2="sophos") returned 1 [0296.233] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28ded30 [0296.233] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.233] PathFindExtensionW (pszPath="XMNGUcRKT.mp4") returned=".mp4" [0296.233] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0296.233] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0296.234] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0296.234] FindNextFileW (in: hFindFile=0xa2f620, lpFindFileData=0x26ee3f8 | out: lpFindFileData=0x26ee3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4fc4e0, ftCreationTime.dwHighDateTime=0x1d5e3a3, ftLastAccessTime.dwLowDateTime=0xc795e40, ftLastAccessTime.dwHighDateTime=0x1d5e1d2, ftLastWriteTime.dwLowDateTime=0xc795e40, ftLastWriteTime.dwHighDateTime=0x1d5e1d2, nFileSizeHigh=0x0, nFileSizeLow=0xd40c, dwReserved0=0x28dec00, dwReserved1=0x5000000, cFileName="XMNGUcRKT.mp4", cAlternateFileName="XMNGUC~1.MP4")) returned 0 [0296.234] FindClose (in: hFindFile=0xa2f620 | out: hFindFile=0xa2f620) returned 1 [0296.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28ded30 | out: hHeap=0x28d0000) returned 1 [0296.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0296.236] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.236] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9304e20, ftCreationTime.dwHighDateTime=0x1d5e920, ftLastAccessTime.dwLowDateTime=0x35d1e4b0, ftLastAccessTime.dwHighDateTime=0x1d5e993, ftLastWriteTime.dwLowDateTime=0x35d1e4b0, ftLastWriteTime.dwHighDateTime=0x1d5e993, nFileSizeHigh=0x0, nFileSizeLow=0xa0f, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="bScY1TVg5NQT4Yp.swf", cAlternateFileName="BSCY1T~1.SWF")) returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2=".") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="..") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="...") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="windows") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="$RECYCLE.BIN") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="rsa") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="NTDETECT.COM") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="ntldr") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="MSDOS.SYS") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="IO.SYS") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="boot.ini") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="AUTOEXEC.BAT") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="ntuser.dat") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="desktop.ini") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="CONFIG.SYS") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="RECYCLER") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="BOOTSECT.BAK") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="bootmgr") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="programdata") returned -1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="appdata") returned 1 [0296.236] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="program files") returned -1 [0296.237] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="program files (x86)") returned -1 [0296.237] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="microsoft") returned -1 [0296.237] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="sophos") returned -1 [0296.237] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbdf8 [0296.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.237] PathFindExtensionW (pszPath="bScY1TVg5NQT4Yp.swf") returned=".swf" [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0296.237] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0296.237] lstrcmpiW (lpString1="bScY1TVg5NQT4Yp.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.237] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\bScY1TVg5NQT4Yp.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\bscy1tvg5nqt4yp.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.238] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=2575) returned 1 [0296.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.238] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.238] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23d58 [0296.238] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0296.238] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23d58*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23d58*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.239] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.239] GetTickCount () returned 0x118a1ac [0296.239] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb68 [0296.239] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb68 | out: hHeap=0x28d0000) returned 1 [0296.239] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa0f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.239] SetLastError (dwErrCode=0x0) [0296.239] WriteFile (in: hFile=0x274, lpBuffer=0x2d23d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23d58*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.241] GetLastError () returned 0x0 [0296.241] GetLastError () returned 0x0 [0296.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb0f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.241] WriteFile (in: hFile=0x274, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc0f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.241] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6e4c1bf, dwHighDateTime=0x1d5fd73)) [0296.241] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0296.241] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0296.241] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.241] GetProcessHeap () returned 0xa10000 [0296.241] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa0f) returned 0xa34b88 [0296.241] GetSystemDefaultLangID () returned 0xa20409 [0296.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.241] ReadFile (in: hFile=0x274, lpBuffer=0xa34b88, nNumberOfBytesToRead=0xa0f, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26ee62c*=0xa0f, lpOverlapped=0x0) returned 1 [0296.241] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.242] WriteFile (in: hFile=0x274, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0xa0f, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26ee620*=0xa0f, lpOverlapped=0x0) returned 1 [0296.280] GetProcessHeap () returned 0xa10000 [0296.280] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0296.280] CloseHandle (hObject=0x274) returned 1 [0296.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23d58 | out: hHeap=0x28d0000) returned 1 [0296.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0296.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.290] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.290] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec98 [0296.290] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\bScY1TVg5NQT4Yp.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\bscy1tvg5nqt4yp.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\bScY1TVg5NQT4Yp.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\bscy1tvg5nqt4yp.swf.nefilim")) returned 1 [0296.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec98 | out: hHeap=0x28d0000) returned 1 [0296.291] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.291] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e90e30, ftCreationTime.dwHighDateTime=0x1d5ecf3, ftLastAccessTime.dwLowDateTime=0xa3b26e80, ftLastAccessTime.dwHighDateTime=0x1d5f0e3, ftLastWriteTime.dwLowDateTime=0xa3b26e80, ftLastWriteTime.dwHighDateTime=0x1d5f0e3, nFileSizeHigh=0x0, nFileSizeLow=0x733f, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="j-OV4SbiA.avi", cAlternateFileName="J-OV4S~1.AVI")) returned 1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2=".") returned 1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="..") returned 1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="...") returned 1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="windows") returned -1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="$RECYCLE.BIN") returned 1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="rsa") returned -1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="NTDETECT.COM") returned -1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="ntldr") returned -1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="MSDOS.SYS") returned -1 [0296.291] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="IO.SYS") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="boot.ini") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="AUTOEXEC.BAT") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="ntuser.dat") returned -1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="desktop.ini") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="CONFIG.SYS") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="RECYCLER") returned -1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="BOOTSECT.BAK") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="bootmgr") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="programdata") returned -1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="appdata") returned 1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="program files") returned -1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="program files (x86)") returned -1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="microsoft") returned -1 [0296.292] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="sophos") returned -1 [0296.292] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.292] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.292] PathFindExtensionW (pszPath="j-OV4SbiA.avi") returned=".avi" [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0296.292] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0296.293] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0296.293] lstrcmpiW (lpString1="j-OV4SbiA.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0296.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\j-OV4SbiA.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\j-ov4sbia.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.293] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=29503) returned 1 [0296.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.293] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.293] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.293] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23308 [0296.294] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d229c0 [0296.294] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23308*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23308*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.296] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d229c0*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d229c0*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.298] GetTickCount () returned 0x118a1db [0296.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de900 [0296.298] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de900 | out: hHeap=0x28d0000) returned 1 [0296.298] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x733f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.298] SetLastError (dwErrCode=0x0) [0296.298] WriteFile (in: hFile=0x274, lpBuffer=0x2d23308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23308*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.299] GetLastError () returned 0x0 [0296.299] GetLastError () returned 0x0 [0296.299] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x743f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.299] WriteFile (in: hFile=0x274, lpBuffer=0x2d229c0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d229c0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.299] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x753f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.299] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6ebe982, dwHighDateTime=0x1d5fd73)) [0296.299] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe80 [0296.299] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0296.299] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.300] GetProcessHeap () returned 0xa10000 [0296.300] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x733f) returned 0xa406b0 [0296.300] GetSystemDefaultLangID () returned 0xa20409 [0296.300] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.300] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x733f, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x733f, lpOverlapped=0x0) returned 1 [0296.302] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.302] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x733f, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x733f, lpOverlapped=0x0) returned 1 [0296.302] GetProcessHeap () returned 0xa10000 [0296.303] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.303] CloseHandle (hObject=0x274) returned 1 [0296.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23308 | out: hHeap=0x28d0000) returned 1 [0296.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d229c0 | out: hHeap=0x28d0000) returned 1 [0296.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.303] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.303] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.303] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\j-OV4SbiA.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\j-ov4sbia.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\j-OV4SbiA.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\j-ov4sbia.avi.nefilim")) returned 1 [0296.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.304] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.304] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x944ef1e0, ftCreationTime.dwHighDateTime=0x1d5ee25, ftLastAccessTime.dwLowDateTime=0x9f7d5a80, ftLastAccessTime.dwHighDateTime=0x1d5f09a, ftLastWriteTime.dwLowDateTime=0x9f7d5a80, ftLastWriteTime.dwHighDateTime=0x1d5f09a, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="kN1Rak.swf", cAlternateFileName="")) returned 1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2=".") returned 1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="..") returned 1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="...") returned 1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="windows") returned -1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="$RECYCLE.BIN") returned 1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="rsa") returned -1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="NTDETECT.COM") returned -1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="ntldr") returned -1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="MSDOS.SYS") returned -1 [0296.304] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="IO.SYS") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="boot.ini") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="AUTOEXEC.BAT") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="ntuser.dat") returned -1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="desktop.ini") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="CONFIG.SYS") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="RECYCLER") returned -1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="BOOTSECT.BAK") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="bootmgr") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="programdata") returned -1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="appdata") returned 1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="program files") returned -1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="program files (x86)") returned -1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="microsoft") returned -1 [0296.305] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="sophos") returned -1 [0296.305] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0296.305] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.305] PathFindExtensionW (pszPath="kN1Rak.swf") returned=".swf" [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0296.305] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0296.306] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0296.306] lstrcmpiW (lpString1="kN1Rak.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe80 [0296.306] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\kN1Rak.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\kn1rak.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.306] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=29790) returned 1 [0296.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.306] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.306] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.306] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23410 [0296.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22498 [0296.307] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23410*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23410*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.307] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22498*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22498*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.307] GetTickCount () returned 0x118a1eb [0296.307] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de900 [0296.307] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de900 | out: hHeap=0x28d0000) returned 1 [0296.307] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x745e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.308] SetLastError (dwErrCode=0x0) [0296.308] WriteFile (in: hFile=0x274, lpBuffer=0x2d23410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23410*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.309] GetLastError () returned 0x0 [0296.309] GetLastError () returned 0x0 [0296.309] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x755e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.309] WriteFile (in: hFile=0x274, lpBuffer=0x2d22498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22498*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.309] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x765e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.309] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6ee4ca4, dwHighDateTime=0x1d5fd73)) [0296.309] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dec00 [0296.309] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.309] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.309] GetProcessHeap () returned 0xa10000 [0296.309] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x745e) returned 0xa406b0 [0296.309] GetSystemDefaultLangID () returned 0xa20409 [0296.309] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.309] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x745e, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x745e, lpOverlapped=0x0) returned 1 [0296.311] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.311] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x745e, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x745e, lpOverlapped=0x0) returned 1 [0296.312] GetProcessHeap () returned 0xa10000 [0296.312] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.313] CloseHandle (hObject=0x274) returned 1 [0296.313] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23410 | out: hHeap=0x28d0000) returned 1 [0296.313] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22498 | out: hHeap=0x28d0000) returned 1 [0296.313] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.313] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.314] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.314] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\kN1Rak.swf" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\kn1rak.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\jxqy5hmca f5sSN9l\\kN1Rak.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\jxqy5hmca f5ssn9l\\kn1rak.swf.nefilim")) returned 1 [0296.314] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.314] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0296.314] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x944ef1e0, ftCreationTime.dwHighDateTime=0x1d5ee25, ftLastAccessTime.dwLowDateTime=0x9f7d5a80, ftLastAccessTime.dwHighDateTime=0x1d5f09a, ftLastWriteTime.dwLowDateTime=0x9f7d5a80, ftLastWriteTime.dwHighDateTime=0x1d5f09a, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="kN1Rak.swf", cAlternateFileName="")) returned 0 [0296.315] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0296.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0296.316] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0296.316] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a750d0, ftCreationTime.dwHighDateTime=0x1d5ecfb, ftLastAccessTime.dwLowDateTime=0x51d99de0, ftLastAccessTime.dwHighDateTime=0x1d5e76f, ftLastWriteTime.dwLowDateTime=0x51d99de0, ftLastWriteTime.dwHighDateTime=0x1d5e76f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="nbKCVnoT__z4lHX", cAlternateFileName="NBKCVN~1")) returned 1 [0296.316] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2=".") returned 1 [0296.316] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="..") returned 1 [0296.316] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="...") returned 1 [0296.316] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="windows") returned -1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="$RECYCLE.BIN") returned 1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="rsa") returned -1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="NTDETECT.COM") returned -1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="ntldr") returned -1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="MSDOS.SYS") returned 1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="IO.SYS") returned 1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="boot.ini") returned 1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="AUTOEXEC.BAT") returned 1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="ntuser.dat") returned -1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="desktop.ini") returned 1 [0296.318] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="CONFIG.SYS") returned 1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="RECYCLER") returned -1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="BOOTSECT.BAK") returned 1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="bootmgr") returned 1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="programdata") returned -1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="appdata") returned 1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="program files") returned -1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="program files (x86)") returned -1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="microsoft") returned 1 [0296.319] lstrcmpiW (lpString1="nbKCVnoT__z4lHX", lpString2="sophos") returned -1 [0296.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0296.319] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0296.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0296.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd90 [0296.319] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0296.319] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a750d0, ftCreationTime.dwHighDateTime=0x1d5ecfb, ftLastAccessTime.dwLowDateTime=0x51d99de0, ftLastAccessTime.dwHighDateTime=0x1d5e76f, ftLastWriteTime.dwLowDateTime=0x51d99de0, ftLastWriteTime.dwHighDateTime=0x1d5e76f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f5e0 [0296.319] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0296.319] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a750d0, ftCreationTime.dwHighDateTime=0x1d5ecfb, ftLastAccessTime.dwLowDateTime=0x51d99de0, ftLastAccessTime.dwHighDateTime=0x1d5e76f, ftLastWriteTime.dwLowDateTime=0x51d99de0, ftLastWriteTime.dwHighDateTime=0x1d5e76f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0296.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0296.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0296.320] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d2cb40, ftCreationTime.dwHighDateTime=0x1d5e3ee, ftLastAccessTime.dwLowDateTime=0xc66f02f0, ftLastAccessTime.dwHighDateTime=0x1d5e33a, ftLastWriteTime.dwLowDateTime=0xc66f02f0, ftLastWriteTime.dwHighDateTime=0x1d5e33a, nFileSizeHigh=0x0, nFileSizeLow=0x1889a, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="8HXGrwZQmEIq-.flv", cAlternateFileName="8HXGRW~1.FLV")) returned 1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2=".") returned 1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="..") returned 1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="...") returned 1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="windows") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="$RECYCLE.BIN") returned 1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="rsa") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="NTDETECT.COM") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="ntldr") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="MSDOS.SYS") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="IO.SYS") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="boot.ini") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="AUTOEXEC.BAT") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="ntuser.dat") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="desktop.ini") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="CONFIG.SYS") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="RECYCLER") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="BOOTSECT.BAK") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="bootmgr") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="programdata") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="appdata") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="program files") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="program files (x86)") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="microsoft") returned -1 [0296.320] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="sophos") returned -1 [0296.320] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe60 [0296.321] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.321] PathFindExtensionW (pszPath="8HXGrwZQmEIq-.flv") returned=".flv" [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0296.321] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0296.321] lstrcmpiW (lpString1="8HXGrwZQmEIq-.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.321] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.321] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\8HXGrwZQmEIq-.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\8hxgrwzqmeiq-.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.322] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=100506) returned 1 [0296.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.322] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.322] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0296.322] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0296.322] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.323] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.323] GetTickCount () returned 0x118a1fa [0296.323] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de890 [0296.323] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de890 | out: hHeap=0x28d0000) returned 1 [0296.323] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1889a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.323] SetLastError (dwErrCode=0x0) [0296.323] WriteFile (in: hFile=0x274, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.325] GetLastError () returned 0x0 [0296.325] GetLastError () returned 0x0 [0296.325] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1899a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.325] WriteFile (in: hFile=0x274, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.325] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18a9a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.325] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6f0ae6d, dwHighDateTime=0x1d5fd73)) [0296.325] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdf8 [0296.325] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.325] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.325] GetProcessHeap () returned 0xa10000 [0296.325] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1889a) returned 0xa406b0 [0296.325] GetSystemDefaultLangID () returned 0xa20409 [0296.325] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.325] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x1889a, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x1889a, lpOverlapped=0x0) returned 1 [0296.334] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.334] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x1889a, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x1889a, lpOverlapped=0x0) returned 1 [0296.334] GetProcessHeap () returned 0xa10000 [0296.334] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.334] CloseHandle (hObject=0x274) returned 1 [0296.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0296.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0296.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.335] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.335] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec88 [0296.335] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\8HXGrwZQmEIq-.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\8hxgrwzqmeiq-.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\8HXGrwZQmEIq-.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\8hxgrwzqmeiq-.flv.nefilim")) returned 1 [0296.336] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec88 | out: hHeap=0x28d0000) returned 1 [0296.336] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.336] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7c8a00, ftCreationTime.dwHighDateTime=0x1d5e935, ftLastAccessTime.dwLowDateTime=0x1350b530, ftLastAccessTime.dwHighDateTime=0x1d5e7de, ftLastWriteTime.dwLowDateTime=0x1350b530, ftLastWriteTime.dwHighDateTime=0x1d5e7de, nFileSizeHigh=0x0, nFileSizeLow=0x8e2e, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="PHaYNsj1FJ1Wxe4fjxpF.avi", cAlternateFileName="PHAYNS~1.AVI")) returned 1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2=".") returned 1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="..") returned 1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="...") returned 1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="windows") returned -1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="$RECYCLE.BIN") returned 1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="rsa") returned -1 [0296.336] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="NTDETECT.COM") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="ntldr") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="MSDOS.SYS") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="IO.SYS") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="boot.ini") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="AUTOEXEC.BAT") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="ntuser.dat") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="desktop.ini") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="CONFIG.SYS") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="RECYCLER") returned -1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="BOOTSECT.BAK") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="bootmgr") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="programdata") returned -1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="appdata") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="program files") returned -1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="program files (x86)") returned -1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="microsoft") returned 1 [0296.337] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="sophos") returned -1 [0296.337] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.337] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0296.337] PathFindExtensionW (pszPath="PHaYNsj1FJ1Wxe4fjxpF.avi") returned=".avi" [0296.337] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0296.337] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0296.337] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0296.337] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0296.337] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0296.338] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0296.338] lstrcmpiW (lpString1="PHaYNsj1FJ1Wxe4fjxpF.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.338] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbdf8 [0296.338] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\PHaYNsj1FJ1Wxe4fjxpF.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\phaynsj1fj1wxe4fjxpf.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.338] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=36398) returned 1 [0296.338] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.339] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.339] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0296.339] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23c50 [0296.339] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.341] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23c50*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23c50*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.343] GetTickCount () returned 0x118a20a [0296.343] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0296.343] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0296.343] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8e2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.343] SetLastError (dwErrCode=0x0) [0296.343] WriteFile (in: hFile=0x274, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.344] GetLastError () returned 0x0 [0296.344] GetLastError () returned 0x0 [0296.345] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8f2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.345] WriteFile (in: hFile=0x274, lpBuffer=0x2d23c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23c50*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.384] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x902e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.384] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd6fa357a, dwHighDateTime=0x1d5fd73)) [0296.384] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0296.384] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0296.384] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.384] GetProcessHeap () returned 0xa10000 [0296.384] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x8e2e) returned 0xa406b0 [0296.390] GetSystemDefaultLangID () returned 0xa20409 [0296.390] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.391] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x8e2e, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x8e2e, lpOverlapped=0x0) returned 1 [0296.544] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.544] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x8e2e, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x8e2e, lpOverlapped=0x0) returned 1 [0296.545] GetProcessHeap () returned 0xa10000 [0296.545] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.545] CloseHandle (hObject=0x274) returned 1 [0296.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0296.545] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23c50 | out: hHeap=0x28d0000) returned 1 [0296.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.546] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.546] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec98 [0296.546] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\PHaYNsj1FJ1Wxe4fjxpF.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\phaynsj1fj1wxe4fjxpf.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\PHaYNsj1FJ1Wxe4fjxpF.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\phaynsj1fj1wxe4fjxpf.avi.nefilim")) returned 1 [0296.547] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec98 | out: hHeap=0x28d0000) returned 1 [0296.547] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.547] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63499c20, ftCreationTime.dwHighDateTime=0x1d5f0ab, ftLastAccessTime.dwLowDateTime=0xa5784360, ftLastAccessTime.dwHighDateTime=0x1d5f080, ftLastWriteTime.dwLowDateTime=0xa5784360, ftLastWriteTime.dwHighDateTime=0x1d5f080, nFileSizeHigh=0x0, nFileSizeLow=0x7b5b, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="PyWwTVUP-58.mkv", cAlternateFileName="PYWWTV~1.MKV")) returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2=".") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="..") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="...") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="windows") returned -1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="$RECYCLE.BIN") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="rsa") returned -1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="NTDETECT.COM") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="ntldr") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="MSDOS.SYS") returned 1 [0296.547] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="IO.SYS") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="boot.ini") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="ntuser.dat") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="desktop.ini") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="CONFIG.SYS") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="RECYCLER") returned -1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="BOOTSECT.BAK") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="bootmgr") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="programdata") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="appdata") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="program files") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="program files (x86)") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="microsoft") returned 1 [0296.548] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="sophos") returned -1 [0296.548] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0296.548] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.548] PathFindExtensionW (pszPath="PyWwTVUP-58.mkv") returned=".mkv" [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0296.583] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0296.584] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0296.584] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0296.584] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0296.584] lstrcmpiW (lpString1="PyWwTVUP-58.mkv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe80 [0296.584] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\PyWwTVUP-58.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\pywwtvup-58.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.584] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=31579) returned 1 [0296.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.584] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.584] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.585] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.585] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23938 [0296.585] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23a40 [0296.585] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23938*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23938*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.587] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23a40*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23a40*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.589] GetTickCount () returned 0x118a304 [0296.589] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deac0 [0296.589] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deac0 | out: hHeap=0x28d0000) returned 1 [0296.589] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7b5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.589] SetLastError (dwErrCode=0x0) [0296.589] WriteFile (in: hFile=0x274, lpBuffer=0x2d23938*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23938*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.590] GetLastError () returned 0x0 [0296.590] GetLastError () returned 0x0 [0296.590] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7c5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.591] WriteFile (in: hFile=0x274, lpBuffer=0x2d23a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23a40*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.591] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7d5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.591] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd71933af, dwHighDateTime=0x1d5fd73)) [0296.591] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dec00 [0296.591] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.591] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.591] GetProcessHeap () returned 0xa10000 [0296.591] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x7b5b) returned 0xa406b0 [0296.591] GetSystemDefaultLangID () returned 0xa20409 [0296.591] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.591] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x7b5b, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x7b5b, lpOverlapped=0x0) returned 1 [0296.593] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.594] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x7b5b, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x7b5b, lpOverlapped=0x0) returned 1 [0296.594] GetProcessHeap () returned 0xa10000 [0296.594] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.594] CloseHandle (hObject=0x274) returned 1 [0296.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23938 | out: hHeap=0x28d0000) returned 1 [0296.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23a40 | out: hHeap=0x28d0000) returned 1 [0296.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.594] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.594] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.594] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\PyWwTVUP-58.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\pywwtvup-58.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\nbKCVnoT__z4lHX\\PyWwTVUP-58.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\nbkcvnot__z4lhx\\pywwtvup-58.mkv.nefilim")) returned 1 [0296.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.595] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe80 | out: hHeap=0x28d0000) returned 1 [0296.595] FindNextFileW (in: hFindFile=0xa2f5e0, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63499c20, ftCreationTime.dwHighDateTime=0x1d5f0ab, ftLastAccessTime.dwLowDateTime=0xa5784360, ftLastAccessTime.dwHighDateTime=0x1d5f080, ftLastWriteTime.dwLowDateTime=0xa5784360, ftLastWriteTime.dwHighDateTime=0x1d5f080, nFileSizeHigh=0x0, nFileSizeLow=0x7b5b, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="PyWwTVUP-58.mkv", cAlternateFileName="PYWWTV~1.MKV")) returned 0 [0296.596] FindClose (in: hFindFile=0xa2f5e0 | out: hFindFile=0xa2f5e0) returned 1 [0296.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0296.596] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0296.596] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83a8e590, ftCreationTime.dwHighDateTime=0x1d5ead7, ftLastAccessTime.dwLowDateTime=0xee8444a0, ftLastAccessTime.dwHighDateTime=0x1d5f085, ftLastWriteTime.dwLowDateTime=0xee8444a0, ftLastWriteTime.dwHighDateTime=0x1d5f085, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="ORaVI-SYKv6OZ", cAlternateFileName="ORAVI-~1")) returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2=".") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="..") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="...") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="windows") returned -1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="$RECYCLE.BIN") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="rsa") returned -1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="NTDETECT.COM") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="ntldr") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="MSDOS.SYS") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="IO.SYS") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="boot.ini") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="AUTOEXEC.BAT") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="ntuser.dat") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="desktop.ini") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="CONFIG.SYS") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="RECYCLER") returned -1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="BOOTSECT.BAK") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="bootmgr") returned 1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="programdata") returned -1 [0296.596] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="appdata") returned 1 [0296.597] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="program files") returned -1 [0296.597] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="program files (x86)") returned -1 [0296.597] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="microsoft") returned 1 [0296.597] lstrcmpiW (lpString1="ORaVI-SYKv6OZ", lpString2="sophos") returned -1 [0296.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0296.597] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0296.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0296.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd90 [0296.597] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdf8 [0296.597] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83a8e590, ftCreationTime.dwHighDateTime=0x1d5ead7, ftLastAccessTime.dwLowDateTime=0xee8444a0, ftLastAccessTime.dwHighDateTime=0x1d5f085, ftLastWriteTime.dwLowDateTime=0xee8444a0, ftLastWriteTime.dwHighDateTime=0x1d5f085, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0296.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0296.597] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83a8e590, ftCreationTime.dwHighDateTime=0x1d5ead7, ftLastAccessTime.dwLowDateTime=0xee8444a0, ftLastAccessTime.dwHighDateTime=0x1d5f085, ftLastWriteTime.dwLowDateTime=0xee8444a0, ftLastWriteTime.dwHighDateTime=0x1d5f085, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0296.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0296.597] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0296.597] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcab0fbc0, ftCreationTime.dwHighDateTime=0x1d5e321, ftLastAccessTime.dwLowDateTime=0xf1f44600, ftLastAccessTime.dwHighDateTime=0x1d5e24b, ftLastWriteTime.dwLowDateTime=0xf1f44600, ftLastWriteTime.dwHighDateTime=0x1d5e24b, nFileSizeHigh=0x0, nFileSizeLow=0x14c82, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="0hY-N_9i.flv", cAlternateFileName="")) returned 1 [0296.597] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2=".") returned 1 [0296.597] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="..") returned 1 [0296.597] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="...") returned 1 [0296.597] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="windows") returned -1 [0296.597] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="$RECYCLE.BIN") returned 1 [0296.597] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="rsa") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="NTDETECT.COM") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="ntldr") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="MSDOS.SYS") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="IO.SYS") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="boot.ini") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="AUTOEXEC.BAT") returned -1 [0296.598] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="ntuser.dat") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="desktop.ini") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="CONFIG.SYS") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="RECYCLER") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="BOOTSECT.BAK") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="bootmgr") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="programdata") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="appdata") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="program files") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="program files (x86)") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="microsoft") returned -1 [0296.599] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="sophos") returned -1 [0296.599] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe60 [0296.599] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.599] PathFindExtensionW (pszPath="0hY-N_9i.flv") returned=".flv" [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0296.599] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0296.600] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0296.600] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0296.600] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0296.600] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0296.600] lstrcmpiW (lpString1="0hY-N_9i.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dec00 [0296.600] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\0hY-N_9i.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\0hy-n_9i.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.600] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=85122) returned 1 [0296.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.600] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.600] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0296.600] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23830 [0296.600] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.603] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23830*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23830*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.605] GetTickCount () returned 0x118a314 [0296.605] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0296.605] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0296.605] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.605] SetLastError (dwErrCode=0x0) [0296.605] WriteFile (in: hFile=0x274, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.606] GetLastError () returned 0x0 [0296.606] GetLastError () returned 0x0 [0296.606] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14d82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.606] WriteFile (in: hFile=0x274, lpBuffer=0x2d23830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23830*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.606] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14e82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.606] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd71b97df, dwHighDateTime=0x1d5fd73)) [0296.606] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdf8 [0296.606] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.607] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.607] GetProcessHeap () returned 0xa10000 [0296.607] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x14c82) returned 0xa406b0 [0296.607] GetSystemDefaultLangID () returned 0xa20409 [0296.607] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.607] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x14c82, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x14c82, lpOverlapped=0x0) returned 1 [0296.633] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.633] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x14c82, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x14c82, lpOverlapped=0x0) returned 1 [0296.633] GetProcessHeap () returned 0xa10000 [0296.634] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.634] CloseHandle (hObject=0x274) returned 1 [0296.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0296.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23830 | out: hHeap=0x28d0000) returned 1 [0296.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.634] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.634] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec78 [0296.634] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\0hY-N_9i.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\0hy-n_9i.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\0hY-N_9i.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\0hy-n_9i.flv.nefilim")) returned 1 [0296.639] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec78 | out: hHeap=0x28d0000) returned 1 [0296.639] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.639] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3832a870, ftCreationTime.dwHighDateTime=0x1d5ea8d, ftLastAccessTime.dwLowDateTime=0x8d168770, ftLastAccessTime.dwHighDateTime=0x1d5e7d2, ftLastWriteTime.dwLowDateTime=0x8d168770, ftLastWriteTime.dwHighDateTime=0x1d5e7d2, nFileSizeHigh=0x0, nFileSizeLow=0x50b3, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="9yif_gK2YUYvDAQPyO8A.avi", cAlternateFileName="9YIF_G~1.AVI")) returned 1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2=".") returned 1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="..") returned 1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="...") returned 1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="windows") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="$RECYCLE.BIN") returned 1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="rsa") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="NTDETECT.COM") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="ntldr") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="MSDOS.SYS") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="IO.SYS") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="boot.ini") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="AUTOEXEC.BAT") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="ntuser.dat") returned -1 [0296.639] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="desktop.ini") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="CONFIG.SYS") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="RECYCLER") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="BOOTSECT.BAK") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="bootmgr") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="programdata") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="appdata") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="program files") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="program files (x86)") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="microsoft") returned -1 [0296.640] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="sophos") returned -1 [0296.640] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.640] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe60 | out: hHeap=0x28d0000) returned 1 [0296.640] PathFindExtensionW (pszPath="9yif_gK2YUYvDAQPyO8A.avi") returned=".avi" [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0296.640] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0296.641] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0296.641] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0296.641] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0296.641] lstrcmpiW (lpString1="9yif_gK2YUYvDAQPyO8A.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0296.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbdf8 [0296.641] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\9yif_gK2YUYvDAQPyO8A.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\9yif_gk2yuyvdaqpyo8a.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.641] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=20659) returned 1 [0296.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.641] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.641] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23728 [0296.641] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22390 [0296.641] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23728*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23728*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.642] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22390*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22390*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.642] GetTickCount () returned 0x118a333 [0296.642] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de970 [0296.642] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de970 | out: hHeap=0x28d0000) returned 1 [0296.642] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x50b3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.642] SetLastError (dwErrCode=0x0) [0296.643] WriteFile (in: hFile=0x274, lpBuffer=0x2d23728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23728*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.644] GetLastError () returned 0x0 [0296.644] GetLastError () returned 0x0 [0296.644] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x51b3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.644] WriteFile (in: hFile=0x274, lpBuffer=0x2d22390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22390*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.644] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x52b3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.644] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd7205c44, dwHighDateTime=0x1d5fd73)) [0296.644] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0296.644] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0296.644] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.644] GetProcessHeap () returned 0xa10000 [0296.644] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x50b3) returned 0xa406b0 [0296.644] GetSystemDefaultLangID () returned 0xa20409 [0296.644] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.644] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x50b3, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x50b3, lpOverlapped=0x0) returned 1 [0296.882] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.882] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x50b3, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x50b3, lpOverlapped=0x0) returned 1 [0296.883] GetProcessHeap () returned 0xa10000 [0296.883] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.885] CloseHandle (hObject=0x274) returned 1 [0296.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23728 | out: hHeap=0x28d0000) returned 1 [0296.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22390 | out: hHeap=0x28d0000) returned 1 [0296.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec98 [0296.885] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\9yif_gK2YUYvDAQPyO8A.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\9yif_gk2yuyvdaqpyo8a.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\9yif_gK2YUYvDAQPyO8A.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\9yif_gk2yuyvdaqpyo8a.avi.nefilim")) returned 1 [0296.886] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec98 | out: hHeap=0x28d0000) returned 1 [0296.886] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.887] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b34ed10, ftCreationTime.dwHighDateTime=0x1d5e6d7, ftLastAccessTime.dwLowDateTime=0x3a98f50, ftLastAccessTime.dwHighDateTime=0x1d5ea43, ftLastWriteTime.dwLowDateTime=0x3a98f50, ftLastWriteTime.dwHighDateTime=0x1d5ea43, nFileSizeHigh=0x0, nFileSizeLow=0x17f85, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="Nx3Maw.mkv", cAlternateFileName="")) returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2=".") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="..") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="...") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="windows") returned -1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="$RECYCLE.BIN") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="rsa") returned -1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="NTDETECT.COM") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="ntldr") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="MSDOS.SYS") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="IO.SYS") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="boot.ini") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="ntuser.dat") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="desktop.ini") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="CONFIG.SYS") returned 1 [0296.887] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="RECYCLER") returned -1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="BOOTSECT.BAK") returned 1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="bootmgr") returned 1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="programdata") returned -1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="appdata") returned 1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="program files") returned -1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="program files (x86)") returned -1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="microsoft") returned 1 [0296.888] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="sophos") returned -1 [0296.888] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdf8 [0296.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.888] PathFindExtensionW (pszPath="Nx3Maw.mkv") returned=".mkv" [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0296.888] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0296.889] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0296.889] lstrcmpiW (lpString1="Nx3Maw.mkv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.889] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0296.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\Nx3Maw.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\nx3maw.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.890] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=98181) returned 1 [0296.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.890] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.890] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0296.890] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23938 [0296.890] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.892] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23938*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23938*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.894] GetTickCount () returned 0x118a42d [0296.894] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0296.894] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0296.894] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17f85, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.895] SetLastError (dwErrCode=0x0) [0296.895] WriteFile (in: hFile=0x274, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.896] GetLastError () returned 0x0 [0296.896] GetLastError () returned 0x0 [0296.896] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18085, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.896] WriteFile (in: hFile=0x274, lpBuffer=0x2d23938*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23938*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.897] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18185, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.897] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd748e4b7, dwHighDateTime=0x1d5fd73)) [0296.897] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dec00 [0296.897] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.897] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.897] GetProcessHeap () returned 0xa10000 [0296.897] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x17f85) returned 0xa406b0 [0296.899] GetSystemDefaultLangID () returned 0xa20409 [0296.899] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.899] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x17f85, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x17f85, lpOverlapped=0x0) returned 1 [0296.907] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.907] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x17f85, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x17f85, lpOverlapped=0x0) returned 1 [0296.908] GetProcessHeap () returned 0xa10000 [0296.908] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.908] CloseHandle (hObject=0x274) returned 1 [0296.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0296.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23938 | out: hHeap=0x28d0000) returned 1 [0296.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.908] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\Nx3Maw.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\nx3maw.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\Nx3Maw.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\nx3maw.mkv.nefilim")) returned 1 [0296.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.909] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0296.909] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x741bc910, ftCreationTime.dwHighDateTime=0x1d5e575, ftLastAccessTime.dwLowDateTime=0x45170a50, ftLastAccessTime.dwHighDateTime=0x1d5ee06, ftLastWriteTime.dwLowDateTime=0x45170a50, ftLastWriteTime.dwHighDateTime=0x1d5ee06, nFileSizeHigh=0x0, nFileSizeLow=0xa536, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="pgu1.flv", cAlternateFileName="")) returned 1 [0296.909] lstrcmpiW (lpString1="pgu1.flv", lpString2=".") returned 1 [0296.909] lstrcmpiW (lpString1="pgu1.flv", lpString2="..") returned 1 [0296.909] lstrcmpiW (lpString1="pgu1.flv", lpString2="...") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="windows") returned -1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="$RECYCLE.BIN") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="rsa") returned -1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="NTDETECT.COM") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="ntldr") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="MSDOS.SYS") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="IO.SYS") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="boot.ini") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="AUTOEXEC.BAT") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="ntuser.dat") returned 1 [0296.910] lstrcmpiW (lpString1="pgu1.flv", lpString2="desktop.ini") returned 1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="CONFIG.SYS") returned 1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="RECYCLER") returned -1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="BOOTSECT.BAK") returned 1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="bootmgr") returned 1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="programdata") returned -1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="appdata") returned 1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="program files") returned -1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="program files (x86)") returned -1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="microsoft") returned 1 [0296.911] lstrcmpiW (lpString1="pgu1.flv", lpString2="sophos") returned -1 [0296.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe70 [0296.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.911] PathFindExtensionW (pszPath="pgu1.flv") returned=".flv" [0296.911] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0296.911] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0296.911] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0296.911] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0296.912] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0296.912] lstrcmpiW (lpString1="pgu1.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.912] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdf8 [0296.912] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\pgu1.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\pgu1.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.913] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=42294) returned 1 [0296.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.913] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.913] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0296.913] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23728 [0296.914] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.914] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23728*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23728*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.914] GetTickCount () returned 0x118a44c [0296.914] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0296.915] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0296.915] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa536, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.915] SetLastError (dwErrCode=0x0) [0296.915] WriteFile (in: hFile=0x274, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.916] GetLastError () returned 0x0 [0296.916] GetLastError () returned 0x0 [0296.916] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa636, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.916] WriteFile (in: hFile=0x274, lpBuffer=0x2d23728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23728*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0296.916] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa736, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd74b4660, dwHighDateTime=0x1d5fd73)) [0296.916] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dec00 [0296.916] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.916] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0296.917] GetProcessHeap () returned 0xa10000 [0296.917] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xa536) returned 0xa406b0 [0296.917] GetSystemDefaultLangID () returned 0xa20409 [0296.917] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.917] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0xa536, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0xa536, lpOverlapped=0x0) returned 1 [0296.920] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.920] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0xa536, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0xa536, lpOverlapped=0x0) returned 1 [0296.920] GetProcessHeap () returned 0xa10000 [0296.920] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0296.920] CloseHandle (hObject=0x274) returned 1 [0296.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0296.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23728 | out: hHeap=0x28d0000) returned 1 [0296.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0296.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0296.921] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec00 [0296.921] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\pgu1.flv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\pgu1.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\pgu1.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\pgu1.flv.nefilim")) returned 1 [0296.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0296.922] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0296.922] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2943f5c0, ftCreationTime.dwHighDateTime=0x1d5e0c0, ftLastAccessTime.dwLowDateTime=0xc794afa0, ftLastAccessTime.dwHighDateTime=0x1d5f05e, ftLastWriteTime.dwLowDateTime=0xc794afa0, ftLastWriteTime.dwHighDateTime=0x1d5f05e, nFileSizeHigh=0x0, nFileSizeLow=0xc19a, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="QxmVfYxKKlGV-tzsQ0G.avi", cAlternateFileName="QXMVFY~1.AVI")) returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2=".") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="..") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="...") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="windows") returned -1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="$RECYCLE.BIN") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="rsa") returned -1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="NTDETECT.COM") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="ntldr") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="MSDOS.SYS") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="IO.SYS") returned 1 [0296.922] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="boot.ini") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="AUTOEXEC.BAT") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="ntuser.dat") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="desktop.ini") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="CONFIG.SYS") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="RECYCLER") returned -1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="BOOTSECT.BAK") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="bootmgr") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="programdata") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="appdata") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="program files") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="program files (x86)") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="microsoft") returned 1 [0296.923] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="sophos") returned -1 [0296.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dec00 [0296.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe70 | out: hHeap=0x28d0000) returned 1 [0296.923] PathFindExtensionW (pszPath="QxmVfYxKKlGV-tzsQ0G.avi") returned=".avi" [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0296.923] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0296.924] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0296.924] lstrcmpiW (lpString1="QxmVfYxKKlGV-tzsQ0G.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0296.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x90) returned 0x28dbdf8 [0296.924] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\QxmVfYxKKlGV-tzsQ0G.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\qxmvfyxkklgv-tzsq0g.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0296.924] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=49562) returned 1 [0296.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0296.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0296.924] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0296.924] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0296.924] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23a40 [0296.925] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0296.925] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23a40*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23a40*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0296.925] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0296.925] GetTickCount () returned 0x118a44c [0296.925] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de820 [0296.925] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de820 | out: hHeap=0x28d0000) returned 1 [0296.925] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc19a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0296.926] SetLastError (dwErrCode=0x0) [0296.926] WriteFile (in: hFile=0x274, lpBuffer=0x2d23a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23a40*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0297.017] GetLastError () returned 0x0 [0297.017] GetLastError () returned 0x0 [0297.017] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc29a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.017] WriteFile (in: hFile=0x274, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0297.017] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc39a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.017] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd759743f, dwHighDateTime=0x1d5fd73)) [0297.017] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe90 [0297.017] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe90 | out: hHeap=0x28d0000) returned 1 [0297.018] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0297.018] GetProcessHeap () returned 0xa10000 [0297.018] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xc19a) returned 0xa406b0 [0297.018] GetSystemDefaultLangID () returned 0xa20409 [0297.018] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.018] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0xc19a, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0xc19a, lpOverlapped=0x0) returned 1 [0297.021] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.021] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0xc19a, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0xc19a, lpOverlapped=0x0) returned 1 [0297.022] GetProcessHeap () returned 0xa10000 [0297.022] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0297.022] CloseHandle (hObject=0x274) returned 1 [0297.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23a40 | out: hHeap=0x28d0000) returned 1 [0297.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0297.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.022] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.022] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0xa0) returned 0x28dec98 [0297.022] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\QxmVfYxKKlGV-tzsQ0G.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\qxmvfyxkklgv-tzsq0g.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\ORaVI-SYKv6OZ\\QxmVfYxKKlGV-tzsQ0G.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\oravi-sykv6oz\\qxmvfyxkklgv-tzsq0g.avi.nefilim")) returned 1 [0297.024] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec98 | out: hHeap=0x28d0000) returned 1 [0297.024] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0297.024] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b340360, ftCreationTime.dwHighDateTime=0x1d5ec9c, ftLastAccessTime.dwLowDateTime=0xaf5d4410, ftLastAccessTime.dwHighDateTime=0x1d5e186, ftLastWriteTime.dwLowDateTime=0xaf5d4410, ftLastWriteTime.dwHighDateTime=0x1d5e186, nFileSizeHigh=0x0, nFileSizeLow=0x161e4, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="XBswrV8qzs0yKvRt.mp4", cAlternateFileName="XBSWRV~1.MP4")) returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2=".") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="..") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="...") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="windows") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="$RECYCLE.BIN") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="rsa") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="NTDETECT.COM") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="ntldr") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="MSDOS.SYS") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="IO.SYS") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="boot.ini") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="ntuser.dat") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="desktop.ini") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="CONFIG.SYS") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="RECYCLER") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="BOOTSECT.BAK") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="bootmgr") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="programdata") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="appdata") returned 1 [0297.024] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="program files") returned 1 [0297.025] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="program files (x86)") returned 1 [0297.025] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="microsoft") returned 1 [0297.025] lstrcmpiW (lpString1="XBswrV8qzs0yKvRt.mp4", lpString2="sophos") returned 1 [0297.025] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0297.025] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0297.025] PathFindExtensionW (pszPath="XBswrV8qzs0yKvRt.mp4") returned=".mp4" [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0297.025] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0297.025] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b340360, ftCreationTime.dwHighDateTime=0x1d5ec9c, ftLastAccessTime.dwLowDateTime=0xaf5d4410, ftLastAccessTime.dwHighDateTime=0x1d5e186, ftLastWriteTime.dwLowDateTime=0xaf5d4410, ftLastWriteTime.dwHighDateTime=0x1d5e186, nFileSizeHigh=0x0, nFileSizeLow=0x161e4, dwReserved0=0x28dbd80, dwReserved1=0x2000000, cFileName="XBswrV8qzs0yKvRt.mp4", cAlternateFileName="XBSWRV~1.MP4")) returned 0 [0297.025] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0297.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0297.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0297.026] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0297.026] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22724f30, ftCreationTime.dwHighDateTime=0x1d5ecff, ftLastAccessTime.dwLowDateTime=0x30278f0, ftLastAccessTime.dwHighDateTime=0x1d5ee6c, ftLastWriteTime.dwLowDateTime=0x30278f0, ftLastWriteTime.dwHighDateTime=0x1d5ee6c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="rb9", cAlternateFileName="")) returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2=".") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="..") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="...") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="windows") returned -1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="$RECYCLE.BIN") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="rsa") returned -1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="NTDETECT.COM") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="ntldr") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="MSDOS.SYS") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="IO.SYS") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="boot.ini") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="AUTOEXEC.BAT") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="ntuser.dat") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="desktop.ini") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="CONFIG.SYS") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="RECYCLER") returned -1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="BOOTSECT.BAK") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="bootmgr") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="programdata") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="appdata") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="program files") returned 1 [0297.026] lstrcmpiW (lpString1="rb9", lpString2="program files (x86)") returned 1 [0297.027] lstrcmpiW (lpString1="rb9", lpString2="microsoft") returned 1 [0297.027] lstrcmpiW (lpString1="rb9", lpString2="sophos") returned -1 [0297.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0297.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x5e) returned 0x28dbd70 [0297.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0297.027] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0297.027] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbdd8 [0297.027] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\*.*", lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22724f30, ftCreationTime.dwHighDateTime=0x1d5ecff, ftLastAccessTime.dwLowDateTime=0x30278f0, ftLastAccessTime.dwHighDateTime=0x1d5ee6c, ftLastWriteTime.dwLowDateTime=0x30278f0, ftLastWriteTime.dwHighDateTime=0x1d5ee6c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x7d00007d, cFileName=".", cAlternateFileName="")) returned 0xa2f960 [0297.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.027] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22724f30, ftCreationTime.dwHighDateTime=0x1d5ecff, ftLastAccessTime.dwLowDateTime=0x30278f0, ftLastAccessTime.dwHighDateTime=0x1d5ee6c, ftLastWriteTime.dwLowDateTime=0x30278f0, ftLastWriteTime.dwHighDateTime=0x1d5ee6c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbd80, dwReserved1=0x7d00007d, cFileName="..", cAlternateFileName="")) returned 1 [0297.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.027] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29649320, ftCreationTime.dwHighDateTime=0x1d5efd4, ftLastAccessTime.dwLowDateTime=0x898073a0, ftLastAccessTime.dwHighDateTime=0x1d5f07e, ftLastWriteTime.dwLowDateTime=0x898073a0, ftLastWriteTime.dwHighDateTime=0x1d5f07e, nFileSizeHigh=0x0, nFileSizeLow=0x1281, dwReserved0=0x28dbd80, dwReserved1=0x7d00007d, cFileName="75B0P VvL kbeDTBCK.mkv", cAlternateFileName="75B0PV~1.MKV")) returned 1 [0297.027] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2=".") returned 1 [0297.027] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="..") returned 1 [0297.027] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="...") returned 1 [0297.027] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="windows") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="$RECYCLE.BIN") returned 1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="rsa") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="NTDETECT.COM") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="ntldr") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="MSDOS.SYS") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="IO.SYS") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="boot.ini") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="ntuser.dat") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="desktop.ini") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="CONFIG.SYS") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="RECYCLER") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="BOOTSECT.BAK") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="bootmgr") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="programdata") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="appdata") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="program files") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="program files (x86)") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="microsoft") returned -1 [0297.028] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="sophos") returned -1 [0297.028] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe30 [0297.028] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0297.028] PathFindExtensionW (pszPath="75B0P VvL kbeDTBCK.mkv") returned=".mkv" [0297.028] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0297.028] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0297.029] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0297.029] lstrcmpiW (lpString1="75B0P VvL kbeDTBCK.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0297.029] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dec00 [0297.029] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\75B0P VvL kbeDTBCK.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\rb9\\75b0p vvl kbedtbck.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0297.030] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=4737) returned 1 [0297.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.030] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.030] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0297.030] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23410 [0297.030] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0297.030] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23410*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23410*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0297.031] GetTickCount () returned 0x118a4ba [0297.031] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0297.031] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0297.031] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1281, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.031] SetLastError (dwErrCode=0x0) [0297.031] WriteFile (in: hFile=0x274, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0297.032] GetLastError () returned 0x0 [0297.032] GetLastError () returned 0x0 [0297.032] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1381, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.032] WriteFile (in: hFile=0x274, lpBuffer=0x2d23410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23410*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0297.032] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1481, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.033] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd75bd763, dwHighDateTime=0x1d5fd73)) [0297.033] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdd8 [0297.033] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0297.033] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0297.033] GetProcessHeap () returned 0xa10000 [0297.033] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1281) returned 0xa406b0 [0297.033] GetSystemDefaultLangID () returned 0xa20409 [0297.033] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.033] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x1281, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x1281, lpOverlapped=0x0) returned 1 [0297.033] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.033] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x1281, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x1281, lpOverlapped=0x0) returned 1 [0297.034] GetProcessHeap () returned 0xa10000 [0297.034] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0297.034] CloseHandle (hObject=0x274) returned 1 [0297.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0297.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23410 | out: hHeap=0x28d0000) returned 1 [0297.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.034] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.034] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec78 [0297.034] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\75B0P VvL kbeDTBCK.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\rb9\\75b0p vvl kbedtbck.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\75B0P VvL kbeDTBCK.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\rb9\\75b0p vvl kbedtbck.mkv.nefilim")) returned 1 [0297.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec78 | out: hHeap=0x28d0000) returned 1 [0297.035] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0297.035] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x704e7a40, ftCreationTime.dwHighDateTime=0x1d5e66e, ftLastAccessTime.dwLowDateTime=0x67752910, ftLastAccessTime.dwHighDateTime=0x1d5eca8, ftLastWriteTime.dwLowDateTime=0x67752910, ftLastWriteTime.dwHighDateTime=0x1d5eca8, nFileSizeHigh=0x0, nFileSizeLow=0x945c, dwReserved0=0x28dbd80, dwReserved1=0x7d00007d, cFileName="GwYP.mkv", cAlternateFileName="")) returned 1 [0297.035] lstrcmpiW (lpString1="GwYP.mkv", lpString2=".") returned 1 [0297.035] lstrcmpiW (lpString1="GwYP.mkv", lpString2="..") returned 1 [0297.035] lstrcmpiW (lpString1="GwYP.mkv", lpString2="...") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="windows") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="$RECYCLE.BIN") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="rsa") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="NTDETECT.COM") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="ntldr") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="MSDOS.SYS") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="IO.SYS") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="boot.ini") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="ntuser.dat") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="desktop.ini") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="CONFIG.SYS") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="RECYCLER") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="BOOTSECT.BAK") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="bootmgr") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="programdata") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="appdata") returned 1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="program files") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="program files (x86)") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="microsoft") returned -1 [0297.036] lstrcmpiW (lpString1="GwYP.mkv", lpString2="sophos") returned -1 [0297.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dec00 [0297.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe30 | out: hHeap=0x28d0000) returned 1 [0297.036] PathFindExtensionW (pszPath="GwYP.mkv") returned=".mkv" [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0297.037] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0297.037] lstrcmpiW (lpString1="GwYP.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0297.037] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdd8 [0297.037] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\GwYP.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\rb9\\gwyp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0297.038] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x26ee608 | out: lpFileSize=0x26ee608*=37980) returned 1 [0297.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.038] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.038] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23830 [0297.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0297.038] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23830*, pdwDataLen=0x26ee5c8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23830*, pdwDataLen=0x26ee5c8*=0x100) returned 1 [0297.038] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26ee5c4*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26ee5c4*=0x100) returned 1 [0297.039] GetTickCount () returned 0x118a4c9 [0297.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deac0 [0297.039] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deac0 | out: hHeap=0x28d0000) returned 1 [0297.039] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x945c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.039] SetLastError (dwErrCode=0x0) [0297.039] WriteFile (in: hFile=0x274, lpBuffer=0x2d23830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d23830*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0297.040] GetLastError () returned 0x0 [0297.040] GetLastError () returned 0x0 [0297.040] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x955c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.040] WriteFile (in: hFile=0x274, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26ee620*=0x100, lpOverlapped=0x0) returned 1 [0297.041] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x965c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.041] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee5dc | out: lpSystemTimeAsFileTime=0x26ee5dc*(dwLowDateTime=0xd75e3a2b, dwHighDateTime=0x1d5fd73)) [0297.041] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbe40 [0297.041] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0297.041] WriteFile (in: hFile=0x274, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee620*=0x7, lpOverlapped=0x0) returned 1 [0297.041] GetProcessHeap () returned 0xa10000 [0297.041] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x945c) returned 0xa406b0 [0297.041] GetSystemDefaultLangID () returned 0xa20409 [0297.041] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.041] ReadFile (in: hFile=0x274, lpBuffer=0xa406b0, nNumberOfBytesToRead=0x945c, lpNumberOfBytesRead=0x26ee62c, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesRead=0x26ee62c*=0x945c, lpOverlapped=0x0) returned 1 [0297.044] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.044] WriteFile (in: hFile=0x274, lpBuffer=0xa406b0*, nNumberOfBytesToWrite=0x945c, lpNumberOfBytesWritten=0x26ee620, lpOverlapped=0x0 | out: lpBuffer=0xa406b0*, lpNumberOfBytesWritten=0x26ee620*=0x945c, lpOverlapped=0x0) returned 1 [0297.044] GetProcessHeap () returned 0xa10000 [0297.044] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa406b0 | out: hHeap=0xa10000) returned 1 [0297.046] CloseHandle (hObject=0x274) returned 1 [0297.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23830 | out: hHeap=0x28d0000) returned 1 [0297.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0297.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe40 [0297.046] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\GwYP.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\rb9\\gwyp.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\rb9\\GwYP.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\rb9\\gwyp.mkv.nefilim")) returned 1 [0297.047] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe40 | out: hHeap=0x28d0000) returned 1 [0297.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdd8 | out: hHeap=0x28d0000) returned 1 [0297.048] FindNextFileW (in: hFindFile=0xa2f960, lpFindFileData=0x26ee718 | out: lpFindFileData=0x26ee718*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x704e7a40, ftCreationTime.dwHighDateTime=0x1d5e66e, ftLastAccessTime.dwLowDateTime=0x67752910, ftLastAccessTime.dwHighDateTime=0x1d5eca8, ftLastWriteTime.dwLowDateTime=0x67752910, ftLastWriteTime.dwHighDateTime=0x1d5eca8, nFileSizeHigh=0x0, nFileSizeLow=0x945c, dwReserved0=0x28dbd80, dwReserved1=0x7d00007d, cFileName="GwYP.mkv", cAlternateFileName="")) returned 0 [0297.048] FindClose (in: hFindFile=0xa2f960 | out: hFindFile=0xa2f960) returned 1 [0297.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dec00 | out: hHeap=0x28d0000) returned 1 [0297.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0297.049] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.049] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13db0fa0, ftCreationTime.dwHighDateTime=0x1d5eb67, ftLastAccessTime.dwLowDateTime=0x4a7f1c40, ftLastAccessTime.dwHighDateTime=0x1d5ec2f, ftLastWriteTime.dwLowDateTime=0x4a7f1c40, ftLastWriteTime.dwHighDateTime=0x1d5ec2f, nFileSizeHigh=0x0, nFileSizeLow=0xd926, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="XoaSBMQN-5K5Q.mp4", cAlternateFileName="XOASBM~1.MP4")) returned 1 [0297.049] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2=".") returned 1 [0297.049] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="..") returned 1 [0297.049] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="...") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="windows") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="$RECYCLE.BIN") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="rsa") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="NTDETECT.COM") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="ntldr") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="MSDOS.SYS") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="IO.SYS") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="boot.ini") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="ntuser.dat") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="desktop.ini") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="CONFIG.SYS") returned 1 [0297.050] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="RECYCLER") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="BOOTSECT.BAK") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="bootmgr") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="programdata") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="appdata") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="program files") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="program files (x86)") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="microsoft") returned 1 [0297.102] lstrcmpiW (lpString1="XoaSBMQN-5K5Q.mp4", lpString2="sophos") returned 1 [0297.102] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.102] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0297.102] PathFindExtensionW (pszPath="XoaSBMQN-5K5Q.mp4") returned=".mp4" [0297.102] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0297.103] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0297.103] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x852107e0, ftCreationTime.dwHighDateTime=0x1d5e7bc, ftLastAccessTime.dwLowDateTime=0xd6a39ee0, ftLastAccessTime.dwHighDateTime=0x1d5e19d, ftLastWriteTime.dwLowDateTime=0xd6a39ee0, ftLastWriteTime.dwHighDateTime=0x1d5e19d, nFileSizeHigh=0x0, nFileSizeLow=0x12bbf, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="XqSMtp.mkv", cAlternateFileName="")) returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2=".") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="..") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="...") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="windows") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="$RECYCLE.BIN") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="rsa") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="NTDETECT.COM") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="ntldr") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="MSDOS.SYS") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="IO.SYS") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="boot.ini") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="ntuser.dat") returned 1 [0297.103] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="desktop.ini") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="CONFIG.SYS") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="RECYCLER") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="BOOTSECT.BAK") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="bootmgr") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="programdata") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="appdata") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="program files") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="program files (x86)") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="microsoft") returned 1 [0297.104] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="sophos") returned 1 [0297.104] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd28 [0297.104] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.104] PathFindExtensionW (pszPath="XqSMtp.mkv") returned=".mkv" [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0297.104] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0297.105] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0297.105] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0297.105] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0297.105] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0297.105] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0297.105] lstrcmpiW (lpString1="XqSMtp.mkv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0297.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\XqSMtp.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\xqsmtp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0297.105] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=76735) returned 1 [0297.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.105] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.106] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.106] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23938 [0297.106] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d226a8 [0297.106] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23938*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23938*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0297.106] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d226a8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d226a8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0297.107] GetTickCount () returned 0x118a508 [0297.107] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0297.107] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0297.107] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12bbf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.107] SetLastError (dwErrCode=0x0) [0297.107] WriteFile (in: hFile=0x270, lpBuffer=0x2d23938*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23938*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0297.108] GetLastError () returned 0x0 [0297.108] GetLastError () returned 0x0 [0297.108] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12cbf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.108] WriteFile (in: hFile=0x270, lpBuffer=0x2d226a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d226a8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0297.108] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12dbf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.108] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd767c2e4, dwHighDateTime=0x1d5fd73)) [0297.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd80 [0297.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0297.109] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0297.109] GetProcessHeap () returned 0xa10000 [0297.109] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x12bbf) returned 0xa3f6a8 [0297.109] GetSystemDefaultLangID () returned 0xa20409 [0297.109] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.109] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x12bbf, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x12bbf, lpOverlapped=0x0) returned 1 [0297.115] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.115] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x12bbf, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x12bbf, lpOverlapped=0x0) returned 1 [0297.115] GetProcessHeap () returned 0xa10000 [0297.115] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0297.115] CloseHandle (hObject=0x270) returned 1 [0297.115] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23938 | out: hHeap=0x28d0000) returned 1 [0297.115] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d226a8 | out: hHeap=0x28d0000) returned 1 [0297.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.116] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.116] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd80 [0297.116] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\XqSMtp.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\xqsmtp.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\XqSMtp.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\xqsmtp.mkv.nefilim")) returned 1 [0297.117] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0297.117] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.117] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec8ce50, ftCreationTime.dwHighDateTime=0x1d5eb5b, ftLastAccessTime.dwLowDateTime=0xb5ab740, ftLastAccessTime.dwHighDateTime=0x1d5ece8, ftLastWriteTime.dwLowDateTime=0xb5ab740, ftLastWriteTime.dwHighDateTime=0x1d5ece8, nFileSizeHigh=0x0, nFileSizeLow=0x8a68, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="_Ft4cboI3AtiUACztgN.avi", cAlternateFileName="_FT4CB~1.AVI")) returned 1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2=".") returned 1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="..") returned 1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="...") returned 1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="windows") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="$RECYCLE.BIN") returned 1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="rsa") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="NTDETECT.COM") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="ntldr") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="MSDOS.SYS") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="IO.SYS") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="boot.ini") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="AUTOEXEC.BAT") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="ntuser.dat") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="desktop.ini") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="CONFIG.SYS") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="RECYCLER") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="BOOTSECT.BAK") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="bootmgr") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="programdata") returned -1 [0297.117] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="appdata") returned -1 [0297.118] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="program files") returned -1 [0297.118] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="program files (x86)") returned -1 [0297.118] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="microsoft") returned -1 [0297.118] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="sophos") returned -1 [0297.118] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd80 [0297.118] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0297.118] PathFindExtensionW (pszPath="_Ft4cboI3AtiUACztgN.avi") returned=".avi" [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0297.118] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0297.119] lstrcmpiW (lpString1="_Ft4cboI3AtiUACztgN.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0297.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0297.119] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\_Ft4cboI3AtiUACztgN.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\_ft4cboi3atiuacztgn.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0297.119] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=35432) returned 1 [0297.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.119] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.119] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23c50 [0297.119] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23d58 [0297.119] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23c50*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23c50*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0297.122] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23d58*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d23d58*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0297.125] GetTickCount () returned 0x118a517 [0297.125] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea88 [0297.125] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea88 | out: hHeap=0x28d0000) returned 1 [0297.125] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8a68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.125] SetLastError (dwErrCode=0x0) [0297.125] WriteFile (in: hFile=0x270, lpBuffer=0x2d23c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23c50*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0297.126] GetLastError () returned 0x0 [0297.126] GetLastError () returned 0x0 [0297.126] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8b68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.126] WriteFile (in: hFile=0x270, lpBuffer=0x2d23d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23d58*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0297.126] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8c68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.126] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xd76a26a4, dwHighDateTime=0x1d5fd73)) [0297.126] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd38 [0297.127] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0297.127] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0297.127] GetProcessHeap () returned 0xa10000 [0297.127] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x8a68) returned 0xa3f6a8 [0297.127] GetSystemDefaultLangID () returned 0xa20409 [0297.127] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.127] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x8a68, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x8a68, lpOverlapped=0x0) returned 1 [0297.130] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.130] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x8a68, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x8a68, lpOverlapped=0x0) returned 1 [0297.130] GetProcessHeap () returned 0xa10000 [0297.130] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0297.130] CloseHandle (hObject=0x270) returned 1 [0297.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23c50 | out: hHeap=0x28d0000) returned 1 [0297.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23d58 | out: hHeap=0x28d0000) returned 1 [0297.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.131] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.131] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdf8 [0297.131] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\_Ft4cboI3AtiUACztgN.avi" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\_ft4cboi3atiuacztgn.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\Lryq\\_Ft4cboI3AtiUACztgN.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\lryq\\_ft4cboi3atiuacztgn.avi.nefilim")) returned 1 [0297.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0297.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.132] FindNextFileW (in: hFindFile=0xa2f420, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec8ce50, ftCreationTime.dwHighDateTime=0x1d5eb5b, ftLastAccessTime.dwLowDateTime=0xb5ab740, ftLastAccessTime.dwHighDateTime=0x1d5ece8, ftLastWriteTime.dwLowDateTime=0xb5ab740, ftLastWriteTime.dwHighDateTime=0x1d5ece8, nFileSizeHigh=0x0, nFileSizeLow=0x8a68, dwReserved0=0x28de720, dwReserved1=0x0, cFileName="_Ft4cboI3AtiUACztgN.avi", cAlternateFileName="_FT4CB~1.AVI")) returned 0 [0297.132] FindClose (in: hFindFile=0xa2f420 | out: hFindFile=0xa2f420) returned 1 [0297.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0297.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de7b0 | out: hHeap=0x28d0000) returned 1 [0297.132] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0297.132] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cc556b0, ftCreationTime.dwHighDateTime=0x1d5e205, ftLastAccessTime.dwLowDateTime=0x169717d0, ftLastAccessTime.dwHighDateTime=0x1d5e413, ftLastWriteTime.dwLowDateTime=0x169717d0, ftLastWriteTime.dwHighDateTime=0x1d5e413, nFileSizeHigh=0x0, nFileSizeLow=0x1fd7, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="pNabDdtFJjTx.flv", cAlternateFileName="PNABDD~1.FLV")) returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2=".") returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="..") returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="...") returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="windows") returned -1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="$RECYCLE.BIN") returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="rsa") returned -1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="NTDETECT.COM") returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="ntldr") returned 1 [0297.132] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="MSDOS.SYS") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="IO.SYS") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="boot.ini") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="AUTOEXEC.BAT") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="ntuser.dat") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="desktop.ini") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="CONFIG.SYS") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="RECYCLER") returned -1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="BOOTSECT.BAK") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="bootmgr") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="programdata") returned -1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="appdata") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="program files") returned -1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="program files (x86)") returned -1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="microsoft") returned 1 [0297.133] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="sophos") returned -1 [0297.133] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de768 [0297.133] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.133] PathFindExtensionW (pszPath="pNabDdtFJjTx.flv") returned=".flv" [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0297.133] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0297.134] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0297.134] lstrcmpiW (lpString1="pNabDdtFJjTx.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0297.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.134] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\pNabDdtFJjTx.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pnabddtfjjtx.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.134] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=8151) returned 1 [0297.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.134] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.134] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.134] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23410 [0297.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0297.135] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23410*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23410*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.135] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.135] GetTickCount () returned 0x118a527 [0297.135] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0297.135] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0297.135] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1fd7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.136] SetLastError (dwErrCode=0x0) [0297.136] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23410*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.137] GetLastError () returned 0x0 [0297.137] GetLastError () returned 0x0 [0297.137] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x20d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.137] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.137] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x21d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.137] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd76c89c5, dwHighDateTime=0x1d5fd73)) [0297.137] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0297.137] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.137] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.137] GetProcessHeap () returned 0xa10000 [0297.137] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1fd7) returned 0xa3e6a0 [0297.137] GetSystemDefaultLangID () returned 0xa20409 [0297.137] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.137] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1fd7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1fd7, lpOverlapped=0x0) returned 1 [0297.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.138] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1fd7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1fd7, lpOverlapped=0x0) returned 1 [0297.138] GetProcessHeap () returned 0xa10000 [0297.138] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0297.138] CloseHandle (hObject=0x26c) returned 1 [0297.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23410 | out: hHeap=0x28d0000) returned 1 [0297.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0297.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.139] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0297.139] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\pNabDdtFJjTx.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pnabddtfjjtx.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\pNabDdtFJjTx.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\pnabddtfjjtx.flv.nefilim")) returned 1 [0297.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0297.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.140] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8790c4c0, ftCreationTime.dwHighDateTime=0x1d5e87f, ftLastAccessTime.dwLowDateTime=0xb096fb20, ftLastAccessTime.dwHighDateTime=0x1d5e6ed, ftLastWriteTime.dwLowDateTime=0xb096fb20, ftLastWriteTime.dwHighDateTime=0x1d5e6ed, nFileSizeHigh=0x0, nFileSizeLow=0x1373e, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="st73VWkop1F76dt.flv", cAlternateFileName="ST73VW~1.FLV")) returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2=".") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="..") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="...") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="windows") returned -1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="$RECYCLE.BIN") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="rsa") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="NTDETECT.COM") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="ntldr") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="MSDOS.SYS") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="IO.SYS") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="boot.ini") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="AUTOEXEC.BAT") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="ntuser.dat") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="desktop.ini") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="CONFIG.SYS") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="RECYCLER") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="BOOTSECT.BAK") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="bootmgr") returned 1 [0297.140] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="programdata") returned 1 [0297.141] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="appdata") returned 1 [0297.141] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="program files") returned 1 [0297.141] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="program files (x86)") returned 1 [0297.141] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="microsoft") returned 1 [0297.141] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="sophos") returned 1 [0297.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.141] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0297.141] PathFindExtensionW (pszPath="st73VWkop1F76dt.flv") returned=".flv" [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0297.141] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0297.141] lstrcmpiW (lpString1="st73VWkop1F76dt.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0297.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0297.142] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\st73VWkop1F76dt.flv" (normalized: "c:\\users\\fd1hvy\\videos\\st73vwkop1f76dt.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.142] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=79678) returned 1 [0297.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.142] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.142] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0297.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d228b8 [0297.142] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.143] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d228b8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d228b8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.146] GetTickCount () returned 0x118a537 [0297.146] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de890 [0297.146] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de890 | out: hHeap=0x28d0000) returned 1 [0297.146] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1373e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.146] SetLastError (dwErrCode=0x0) [0297.146] WriteFile (in: hFile=0x26c, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.147] GetLastError () returned 0x0 [0297.147] GetLastError () returned 0x0 [0297.147] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1383e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.147] WriteFile (in: hFile=0x26c, lpBuffer=0x2d228b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d228b8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.148] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1393e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.148] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd76eeabe, dwHighDateTime=0x1d5fd73)) [0297.148] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de788 [0297.148] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0297.148] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.148] GetProcessHeap () returned 0xa10000 [0297.148] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1373e) returned 0xa3e6a0 [0297.149] GetSystemDefaultLangID () returned 0xa20409 [0297.149] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.150] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1373e, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1373e, lpOverlapped=0x0) returned 1 [0297.155] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.156] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1373e, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1373e, lpOverlapped=0x0) returned 1 [0297.156] GetProcessHeap () returned 0xa10000 [0297.156] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0297.156] CloseHandle (hObject=0x26c) returned 1 [0297.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0297.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d228b8 | out: hHeap=0x28d0000) returned 1 [0297.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.156] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.156] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0297.157] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\st73VWkop1F76dt.flv" (normalized: "c:\\users\\fd1hvy\\videos\\st73vwkop1f76dt.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\st73VWkop1F76dt.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\st73vwkop1f76dt.flv.nefilim")) returned 1 [0297.157] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0297.157] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.157] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8790c4c0, ftCreationTime.dwHighDateTime=0x1d5e87f, ftLastAccessTime.dwLowDateTime=0xb096fb20, ftLastAccessTime.dwHighDateTime=0x1d5e6ed, ftLastWriteTime.dwLowDateTime=0xb096fb20, ftLastWriteTime.dwHighDateTime=0x1d5e6ed, nFileSizeHigh=0x0, nFileSizeLow=0x1373e, dwReserved0=0x28dbcc0, dwReserved1=0xc896f3a3, cFileName="st73VWkop1F76dt.flv", cAlternateFileName="ST73VW~1.FLV")) returned 0 [0297.158] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0297.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c8 | out: hHeap=0x28d0000) returned 1 [0297.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf8 | out: hHeap=0x28d0000) returned 1 [0297.158] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe765f877, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe765f877, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Videos", cAlternateFileName="")) returned 0 [0297.158] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0297.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a8 | out: hHeap=0x28d0000) returned 1 [0297.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12b0 | out: hHeap=0x28d0000) returned 1 [0297.158] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.158] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Public", cAlternateFileName="")) returned 1 [0297.158] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="...") returned 1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="windows") returned -1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="$RECYCLE.BIN") returned 1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="rsa") returned -1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="NTDETECT.COM") returned 1 [0297.158] lstrcmpiW (lpString1="Public", lpString2="ntldr") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="MSDOS.SYS") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="IO.SYS") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="boot.ini") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="AUTOEXEC.BAT") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="ntuser.dat") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="desktop.ini") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="CONFIG.SYS") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="RECYCLER") returned -1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="BOOTSECT.BAK") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="bootmgr") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="programdata") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="appdata") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="program files") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="program files (x86)") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="microsoft") returned 1 [0297.159] lstrcmpiW (lpString1="Public", lpString2="sophos") returned -1 [0297.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de6b0 [0297.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0297.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de6b0 | out: hHeap=0x28d0000) returned 1 [0297.159] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de890 [0297.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0297.159] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0297.160] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0297.161] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.161] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.161] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2=".") returned 1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="..") returned 1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="...") returned 1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="windows") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="$RECYCLE.BIN") returned 1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="rsa") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="NTDETECT.COM") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="ntldr") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="MSDOS.SYS") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="IO.SYS") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="boot.ini") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="AUTOEXEC.BAT") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="ntuser.dat") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="desktop.ini") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="CONFIG.SYS") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="RECYCLER") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="BOOTSECT.BAK") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="bootmgr") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="programdata") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="appdata") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="program files") returned -1 [0297.161] lstrcmpiW (lpString1="AccountPictures", lpString2="program files (x86)") returned -1 [0297.162] lstrcmpiW (lpString1="AccountPictures", lpString2="microsoft") returned -1 [0297.162] lstrcmpiW (lpString1="AccountPictures", lpString2="sophos") returned -1 [0297.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x5e) returned 0x28d1278 [0297.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.162] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0297.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0297.162] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.162] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1b00001b, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0297.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.164] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1b00001b, cFileName="..", cAlternateFileName="")) returned 1 [0297.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.164] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x1b00001b, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.164] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.165] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x1b00001b, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0297.165] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0297.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0297.165] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.165] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Desktop", cAlternateFileName="")) returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0297.165] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0297.166] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0297.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0297.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x46) returned 0x28de720 [0297.166] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0297.166] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de770 [0297.166] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.166] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0297.166] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.166] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.167] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2=".") returned 1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="..") returned 1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="...") returned 1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="windows") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="$RECYCLE.BIN") returned 1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="rsa") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="NTDETECT.COM") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="ntldr") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="MSDOS.SYS") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="IO.SYS") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="boot.ini") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="AUTOEXEC.BAT") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="ntuser.dat") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="desktop.ini") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="CONFIG.SYS") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="RECYCLER") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="BOOTSECT.BAK") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="bootmgr") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="programdata") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="appdata") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="program files") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="program files (x86)") returned -1 [0297.167] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="microsoft") returned -1 [0297.168] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="sophos") returned -1 [0297.168] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.168] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0297.168] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0297.168] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.168] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.168] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.168] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.168] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.168] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.169] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.169] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="...") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$RECYCLE.BIN") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="rsa") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTDETECT.COM") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntldr") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="MSDOS.SYS") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="IO.SYS") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot.ini") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntuser.dat") returned -1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="desktop.ini") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="CONFIG.SYS") returned 1 [0297.169] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="RECYCLER") returned -1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="BOOTSECT.BAK") returned 1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="programdata") returned -1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="appdata") returned 1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files") returned -1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files (x86)") returned -1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="microsoft") returned -1 [0297.170] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="sophos") returned -1 [0297.170] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28d1278 [0297.170] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.170] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0297.170] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0297.171] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0297.171] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0297.171] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0297.171] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0297.171] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="...") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="windows") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$RECYCLE.BIN") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="rsa") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="NTDETECT.COM") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntldr") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="MSDOS.SYS") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="IO.SYS") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="boot.ini") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntuser.dat") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="desktop.ini") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="CONFIG.SYS") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="RECYCLER") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="BOOTSECT.BAK") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="bootmgr") returned 1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="programdata") returned -1 [0297.171] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="appdata") returned 1 [0297.172] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files") returned -1 [0297.172] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files (x86)") returned -1 [0297.172] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="microsoft") returned 1 [0297.172] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="sophos") returned -1 [0297.172] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.172] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.172] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0297.172] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0297.172] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0297.173] FindClose (in: hFindFile=0xa2f720 | out: hFindFile=0xa2f720) returned 1 [0297.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de770 | out: hHeap=0x28d0000) returned 1 [0297.173] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.173] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.173] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.173] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0297.173] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0297.173] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0297.173] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0297.174] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0297.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.174] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.174] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0297.175] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0297.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.177] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.177] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.177] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.177] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.178] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.178] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.178] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.178] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.178] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.178] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0297.178] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0297.179] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0297.179] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0297.179] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0297.179] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0297.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de768 [0297.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0297.179] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd70 [0297.179] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0xffff24d8, ftCreationTime.dwHighDateTime=0x7d00007d, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x49000049, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01변ʍʍF")) returned 0xffffffff [0297.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd70 | out: hHeap=0x28d0000) returned 1 [0297.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0297.179] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.179] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0297.179] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0297.179] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0297.179] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0297.180] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0297.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.180] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0297.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0297.180] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0297.181] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0xffff24d8, ftCreationTime.dwHighDateTime=0x3e00003e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x7d00007d, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01ʍ변ʍL")) returned 0xffffffff [0297.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0297.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0297.181] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.181] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0297.181] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0297.182] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0297.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0297.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.182] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0297.182] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0xffff24d8, ftCreationTime.dwHighDateTime=0x49000049, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x3e00003e, nFileSizeHigh=0x28d0000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɮ⊺\x01ʍʍH")) returned 0xffffffff [0297.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0297.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.182] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0297.182] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0297.182] FindClose (in: hFindFile=0xa2f8e0 | out: hFindFile=0xa2f8e0) returned 1 [0297.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.183] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.183] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="microsoft") returned -1 [0297.184] lstrcmpiW (lpString1="Downloads", lpString2="sophos") returned -1 [0297.184] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.184] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.185] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0297.185] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0297.185] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.185] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.185] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.185] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.185] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.185] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.186] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.186] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.186] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.186] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.186] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0297.186] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0297.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.186] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.186] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="...") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="windows") returned -1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="$RECYCLE.BIN") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="rsa") returned -1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="NTDETECT.COM") returned -1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="ntldr") returned -1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="MSDOS.SYS") returned -1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="IO.SYS") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="boot.ini") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="AUTOEXEC.BAT") returned 1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="ntuser.dat") returned -1 [0297.186] lstrcmpiW (lpString1="Libraries", lpString2="desktop.ini") returned 1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="CONFIG.SYS") returned 1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="RECYCLER") returned -1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="BOOTSECT.BAK") returned 1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="bootmgr") returned 1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="programdata") returned -1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="appdata") returned 1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="program files") returned -1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="program files (x86)") returned -1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="microsoft") returned -1 [0297.187] lstrcmpiW (lpString1="Libraries", lpString2="sophos") returned -1 [0297.187] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.187] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.187] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.187] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.187] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0297.187] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f760 [0297.187] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.187] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.187] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.188] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.188] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.188] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="...") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="windows") returned -1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="$RECYCLE.BIN") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="rsa") returned -1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTDETECT.COM") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntldr") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="MSDOS.SYS") returned 1 [0297.188] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="IO.SYS") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot.ini") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="AUTOEXEC.BAT") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="desktop.ini") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="CONFIG.SYS") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="RECYCLER") returned -1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="BOOTSECT.BAK") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootmgr") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="programdata") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="appdata") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files (x86)") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="microsoft") returned 1 [0297.189] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="sophos") returned -1 [0297.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de768 [0297.189] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.189] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0297.189] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x20) returned 0x28de430 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".log") returned -1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".cab") returned 1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".cmd") returned 1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".com") returned 1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".cpl") returned 1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".ini") returned 1 [0297.189] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".url") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".ttf") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".mp3") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".pif") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".mp4") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".NEFILIM") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0297.190] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0297.190] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0297.190] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.190] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.191] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=960) returned 1 [0297.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.199] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.199] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23c50 [0297.199] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0297.199] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23c50*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23c50*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.200] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.200] GetTickCount () returned 0x118a565 [0297.200] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf8 [0297.200] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf8 | out: hHeap=0x28d0000) returned 1 [0297.200] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.200] SetLastError (dwErrCode=0x0) [0297.200] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23c50*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.202] GetLastError () returned 0x0 [0297.202] GetLastError () returned 0x0 [0297.202] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.203] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.203] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.203] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7761292, dwHighDateTime=0x1d5fd73)) [0297.203] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0297.203] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.203] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.203] GetProcessHeap () returned 0xa10000 [0297.203] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x3c0) returned 0xa34b88 [0297.203] GetSystemDefaultLangID () returned 0xa20409 [0297.203] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.203] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x3c0, lpOverlapped=0x0) returned 1 [0297.203] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.203] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x3c0, lpOverlapped=0x0) returned 1 [0297.204] GetProcessHeap () returned 0xa10000 [0297.204] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0297.204] CloseHandle (hObject=0x26c) returned 1 [0297.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23c50 | out: hHeap=0x28d0000) returned 1 [0297.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0297.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.204] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.204] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0297.204] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.NEFILIM" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.nefilim")) returned 1 [0297.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0297.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de430 | out: hHeap=0x28d0000) returned 1 [0297.205] FindNextFileW (in: hFindFile=0xa2f760, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0297.205] FindClose (in: hFindFile=0xa2f760 | out: hFindFile=0xa2f760) returned 1 [0297.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de768 | out: hHeap=0x28d0000) returned 1 [0297.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.205] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.205] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Music", cAlternateFileName="")) returned 1 [0297.205] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0297.205] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="microsoft") returned 1 [0297.206] lstrcmpiW (lpString1="Music", lpString2="sophos") returned -1 [0297.206] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a8 [0297.207] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.207] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf8 [0297.207] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea18 [0297.207] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.207] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f9e0 [0297.207] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.207] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.207] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.207] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.207] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.207] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.208] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.208] FindNextFileW (in: hFindFile=0xa2f9e0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0297.208] FindClose (in: hFindFile=0xa2f9e0 | out: hFindFile=0xa2f9e0) returned 1 [0297.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea18 | out: hHeap=0x28d0000) returned 1 [0297.208] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf8 | out: hHeap=0x28d0000) returned 1 [0297.208] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Pictures", cAlternateFileName="")) returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0297.208] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="microsoft") returned 1 [0297.209] lstrcmpiW (lpString1="Pictures", lpString2="sophos") returned -1 [0297.209] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.209] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a8 | out: hHeap=0x28d0000) returned 1 [0297.209] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.209] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.209] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0297.209] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0297.209] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.210] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.210] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.210] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.210] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.210] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.210] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0297.210] FindClose (in: hFindFile=0xa2f920 | out: hFindFile=0xa2f920) returned 1 [0297.210] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.210] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.211] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.211] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Videos", cAlternateFileName="")) returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="microsoft") returned 1 [0297.211] lstrcmpiW (lpString1="Videos", lpString2="sophos") returned 1 [0297.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de900 [0297.212] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c8 [0297.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deba0 [0297.212] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.212] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName=".", cAlternateFileName="")) returned 0xa2f5a0 [0297.212] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.212] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="..", cAlternateFileName="")) returned 1 [0297.212] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.212] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.212] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0297.212] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0297.213] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0297.213] FindNextFileW (in: hFindFile=0xa2f5a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0297.213] FindClose (in: hFindFile=0xa2f5a0 | out: hFindFile=0xa2f5a0) returned 1 [0297.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deba0 | out: hHeap=0x28d0000) returned 1 [0297.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c8 | out: hHeap=0x28d0000) returned 1 [0297.213] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x49000049, cFileName="Videos", cAlternateFileName="")) returned 0 [0297.213] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0297.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de900 | out: hHeap=0x28d0000) returned 1 [0297.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0297.213] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de890 | out: hHeap=0x28d0000) returned 1 [0297.213] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Public", cAlternateFileName="")) returned 0 [0297.213] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0297.214] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0297.214] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0297.214] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d20d8 | out: hHeap=0x28d0000) returned 1 [0297.214] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0297.214] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0297.214] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0297.214] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0297.214] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0297.214] FindNextFileW (in: hFindFile=0xa2f2a0, lpFindFileData=0x26ef6b8 | out: lpFindFileData=0x26ef6b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2=".") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="..") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="...") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="windows") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="$RECYCLE.BIN") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="rsa") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="NTDETECT.COM") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="ntldr") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="MSDOS.SYS") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="IO.SYS") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="boot.ini") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="AUTOEXEC.BAT") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="ntuser.dat") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="desktop.ini") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="CONFIG.SYS") returned 1 [0297.214] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="RECYCLER") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="BOOTSECT.BAK") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="bootmgr") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="programdata") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="appdata") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="program files") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="program files (x86)") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="microsoft") returned 1 [0297.215] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="sophos") returned 1 [0297.215] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea88 [0297.215] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1478 | out: hHeap=0x28d0000) returned 1 [0297.215] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de900 [0297.215] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de820 [0297.215] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deac0 [0297.215] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\*.*", lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xa2f8e0 [0297.217] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.217] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0297.218] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.218] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.218] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="2052", cAlternateFileName="")) returned 1 [0297.218] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="...") returned 1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="$RECYCLE.BIN") returned 1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="rsa") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="NTDETECT.COM") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="ntldr") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="MSDOS.SYS") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="IO.SYS") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="boot.ini") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="AUTOEXEC.BAT") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="ntuser.dat") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="desktop.ini") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="CONFIG.SYS") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="RECYCLER") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="BOOTSECT.BAK") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="bootmgr") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="programdata") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="appdata") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="program files") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="program files (x86)") returned -1 [0297.218] lstrcmpiW (lpString1="2052", lpString2="microsoft") returned -1 [0297.219] lstrcmpiW (lpString1="2052", lpString2="sophos") returned -1 [0297.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0297.219] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deac0 | out: hHeap=0x28d0000) returned 1 [0297.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.219] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.219] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\2052\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f2e0 [0297.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.219] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0297.219] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.219] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.219] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 1 [0297.219] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2=".") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="..") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="...") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="windows") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="$RECYCLE.BIN") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="rsa") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="NTDETECT.COM") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="ntldr") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="MSDOS.SYS") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="IO.SYS") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="boot.ini") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="AUTOEXEC.BAT") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="ntuser.dat") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="desktop.ini") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="CONFIG.SYS") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="RECYCLER") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="BOOTSECT.BAK") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="bootmgr") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="programdata") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="appdata") returned 1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="program files") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="program files (x86)") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="microsoft") returned -1 [0297.220] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="sophos") returned -1 [0297.220] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.220] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.220] PathFindExtensionW (pszPath="DWINTL20.DLL") returned=".DLL" [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".exe") returned -1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".log") returned -1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".cab") returned 1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".cmd") returned 1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".com") returned 1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".cpl") returned 1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".ini") returned -1 [0297.221] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0297.221] FindNextFileW (in: hFindFile=0xa2f2e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 0 [0297.221] FindClose (in: hFindFile=0xa2f2e0 | out: hFindFile=0xa2f2e0) returned 1 [0297.221] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.221] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.221] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.221] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3659ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3659ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x704c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="appraiserxp.dll", cAlternateFileName="APPRAI~1.DLL")) returned 1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2=".") returned 1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="..") returned 1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="...") returned 1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="windows") returned -1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="rsa") returned -1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="NTDETECT.COM") returned -1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="ntldr") returned -1 [0297.221] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="MSDOS.SYS") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="IO.SYS") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="boot.ini") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="AUTOEXEC.BAT") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="ntuser.dat") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="desktop.ini") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="CONFIG.SYS") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="RECYCLER") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="BOOTSECT.BAK") returned -1 [0297.222] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="bootmgr") returned -1 [0297.223] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="programdata") returned -1 [0297.223] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="appdata") returned 1 [0297.223] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="program files") returned -1 [0297.223] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="program files (x86)") returned -1 [0297.223] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="microsoft") returned -1 [0297.223] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="sophos") returned -1 [0297.223] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1278 [0297.223] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0297.223] PathFindExtensionW (pszPath="appraiserxp.dll") returned=".dll" [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.223] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.224] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.224] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36cf08, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36cf08, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="bootsect.exe", cAlternateFileName="")) returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2=".") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="..") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="...") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="windows") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="$RECYCLE.BIN") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="rsa") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="NTDETECT.COM") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="ntldr") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="MSDOS.SYS") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="IO.SYS") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="boot.ini") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="AUTOEXEC.BAT") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="ntuser.dat") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="desktop.ini") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="CONFIG.SYS") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="RECYCLER") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="BOOTSECT.BAK") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="bootmgr") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="programdata") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="appdata") returned 1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="program files") returned -1 [0297.224] lstrcmpiW (lpString1="bootsect.exe", lpString2="program files (x86)") returned -1 [0297.225] lstrcmpiW (lpString1="bootsect.exe", lpString2="microsoft") returned -1 [0297.225] lstrcmpiW (lpString1="bootsect.exe", lpString2="sophos") returned -1 [0297.225] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.225] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.225] PathFindExtensionW (pszPath="bootsect.exe") returned=".exe" [0297.225] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0297.225] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea350dad, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea350dad, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xb08c3ee, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Configuration.ini", cAlternateFileName="CONFIG~1.INI")) returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2=".") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="..") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="...") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="windows") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="$RECYCLE.BIN") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="rsa") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="NTDETECT.COM") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="ntldr") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="MSDOS.SYS") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="IO.SYS") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="boot.ini") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="AUTOEXEC.BAT") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="ntuser.dat") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="desktop.ini") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="CONFIG.SYS") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="RECYCLER") returned -1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="BOOTSECT.BAK") returned 1 [0297.225] lstrcmpiW (lpString1="Configuration.ini", lpString2="bootmgr") returned 1 [0297.226] lstrcmpiW (lpString1="Configuration.ini", lpString2="programdata") returned -1 [0297.226] lstrcmpiW (lpString1="Configuration.ini", lpString2="appdata") returned 1 [0297.226] lstrcmpiW (lpString1="Configuration.ini", lpString2="program files") returned -1 [0297.226] lstrcmpiW (lpString1="Configuration.ini", lpString2="program files (x86)") returned -1 [0297.226] lstrcmpiW (lpString1="Configuration.ini", lpString2="microsoft") returned -1 [0297.226] lstrcmpiW (lpString1="Configuration.ini", lpString2="sophos") returned -1 [0297.226] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0297.226] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.226] PathFindExtensionW (pszPath="Configuration.ini") returned=".ini" [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0297.226] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0297.226] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36e29e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36e29e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xf0c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="cosquery.dll", cAlternateFileName="")) returned 1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2=".") returned 1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2="..") returned 1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2="...") returned 1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2="windows") returned -1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2="rsa") returned -1 [0297.226] lstrcmpiW (lpString1="cosquery.dll", lpString2="NTDETECT.COM") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="ntldr") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="MSDOS.SYS") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="IO.SYS") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="boot.ini") returned 1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="ntuser.dat") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="desktop.ini") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="CONFIG.SYS") returned 1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="RECYCLER") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="bootmgr") returned 1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="programdata") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="appdata") returned 1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="program files") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="program files (x86)") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="microsoft") returned -1 [0297.227] lstrcmpiW (lpString1="cosquery.dll", lpString2="sophos") returned -1 [0297.227] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.227] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0297.227] PathFindExtensionW (pszPath="cosquery.dll") returned=".dll" [0297.227] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.227] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.227] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.227] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.227] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.227] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.228] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.228] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.228] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea370998, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea370998, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x508c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="DevInv.dll", cAlternateFileName="")) returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2=".") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="..") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="...") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="windows") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="rsa") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="NTDETECT.COM") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="ntldr") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="MSDOS.SYS") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="IO.SYS") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="boot.ini") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="ntuser.dat") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="desktop.ini") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="CONFIG.SYS") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="RECYCLER") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="bootmgr") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="programdata") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="appdata") returned 1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="program files") returned -1 [0297.228] lstrcmpiW (lpString1="DevInv.dll", lpString2="program files (x86)") returned -1 [0297.229] lstrcmpiW (lpString1="DevInv.dll", lpString2="microsoft") returned -1 [0297.229] lstrcmpiW (lpString1="DevInv.dll", lpString2="sophos") returned -1 [0297.229] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0297.229] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.229] PathFindExtensionW (pszPath="DevInv.dll") returned=".dll" [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.229] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.229] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea377ed3, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="dll1", cAlternateFileName="")) returned 1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2=".") returned 1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="..") returned 1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="...") returned 1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="windows") returned -1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="$RECYCLE.BIN") returned 1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="rsa") returned -1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="NTDETECT.COM") returned -1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="ntldr") returned -1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="MSDOS.SYS") returned -1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="IO.SYS") returned -1 [0297.229] lstrcmpiW (lpString1="dll1", lpString2="boot.ini") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="AUTOEXEC.BAT") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="ntuser.dat") returned -1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="desktop.ini") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="CONFIG.SYS") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="RECYCLER") returned -1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="BOOTSECT.BAK") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="bootmgr") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="programdata") returned -1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="appdata") returned 1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="program files") returned -1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="program files (x86)") returned -1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="microsoft") returned -1 [0297.230] lstrcmpiW (lpString1="dll1", lpString2="sophos") returned -1 [0297.230] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.230] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0297.230] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0297.230] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.230] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.230] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll1\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37926f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0297.232] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.232] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37926f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0297.232] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.232] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.232] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea376b75, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea376b75, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x204c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="cosqueryxp.dll", cAlternateFileName="COSQUE~1.DLL")) returned 1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2=".") returned 1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="..") returned 1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="...") returned 1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="windows") returned -1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="rsa") returned -1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="NTDETECT.COM") returned -1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="ntldr") returned -1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="MSDOS.SYS") returned -1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="IO.SYS") returned -1 [0297.232] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="boot.ini") returned 1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="ntuser.dat") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="desktop.ini") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="CONFIG.SYS") returned 1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="RECYCLER") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="bootmgr") returned 1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="programdata") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="appdata") returned 1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="program files") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="program files (x86)") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="microsoft") returned -1 [0297.233] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="sophos") returned -1 [0297.233] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.233] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.233] PathFindExtensionW (pszPath="cosqueryxp.dll") returned=".dll" [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.233] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.233] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea377ed3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x3b0c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="wdscore.dll", cAlternateFileName="")) returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2=".") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="..") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="...") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="windows") returned -1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="rsa") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="NTDETECT.COM") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="ntldr") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="MSDOS.SYS") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="IO.SYS") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="boot.ini") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="ntuser.dat") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="desktop.ini") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="CONFIG.SYS") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="RECYCLER") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="bootmgr") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="programdata") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="appdata") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="program files") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="program files (x86)") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="microsoft") returned 1 [0297.234] lstrcmpiW (lpString1="wdscore.dll", lpString2="sophos") returned 1 [0297.234] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0297.235] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.235] PathFindExtensionW (pszPath="wdscore.dll") returned=".dll" [0297.235] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.236] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.236] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="...") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="rsa") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="NTDETECT.COM") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="ntldr") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="MSDOS.SYS") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="IO.SYS") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="boot.ini") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="ntuser.dat") returned 1 [0297.236] lstrcmpiW (lpString1="webservices.dll", lpString2="desktop.ini") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="CONFIG.SYS") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="RECYCLER") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="programdata") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="appdata") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="program files") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="program files (x86)") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="microsoft") returned 1 [0297.237] lstrcmpiW (lpString1="webservices.dll", lpString2="sophos") returned 1 [0297.237] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0297.237] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.237] PathFindExtensionW (pszPath="webservices.dll") returned=".dll" [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.237] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.237] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0297.237] FindClose (in: hFindFile=0xa2f560 | out: hFindFile=0xa2f560) returned 1 [0297.239] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.239] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.239] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0297.239] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37cd05, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="dll2", cAlternateFileName="")) returned 1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2=".") returned 1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="..") returned 1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="...") returned 1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="windows") returned -1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="$RECYCLE.BIN") returned 1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="rsa") returned -1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="NTDETECT.COM") returned -1 [0297.239] lstrcmpiW (lpString1="dll2", lpString2="ntldr") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="MSDOS.SYS") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="IO.SYS") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="boot.ini") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="AUTOEXEC.BAT") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="ntuser.dat") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="desktop.ini") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="CONFIG.SYS") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="RECYCLER") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="BOOTSECT.BAK") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="bootmgr") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="programdata") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="appdata") returned 1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="program files") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="program files (x86)") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="microsoft") returned -1 [0297.240] lstrcmpiW (lpString1="dll2", lpString2="sophos") returned -1 [0297.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0297.240] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.240] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d12c0 [0297.240] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll2\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37e09b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f3e0 [0297.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.242] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37e09b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0297.242] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.242] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.242] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="...") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="rsa") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="NTDETECT.COM") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="ntldr") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="MSDOS.SYS") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="IO.SYS") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="boot.ini") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="ntuser.dat") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="desktop.ini") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="CONFIG.SYS") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="RECYCLER") returned 1 [0297.242] lstrcmpiW (lpString1="webservices.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="programdata") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="appdata") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="program files") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="program files (x86)") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="microsoft") returned 1 [0297.243] lstrcmpiW (lpString1="webservices.dll", lpString2="sophos") returned 1 [0297.243] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0297.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.243] PathFindExtensionW (pszPath="webservices.dll") returned=".dll" [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.243] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.243] FindNextFileW (in: hFindFile=0xa2f3e0, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0297.243] FindClose (in: hFindFile=0xa2f3e0 | out: hFindFile=0xa2f3e0) returned 1 [0297.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.243] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.244] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea380798, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea380798, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x326c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="downloader.dll", cAlternateFileName="DOWNLO~1.DLL")) returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2=".") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="..") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="...") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="windows") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="rsa") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="NTDETECT.COM") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="ntldr") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="MSDOS.SYS") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="IO.SYS") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="boot.ini") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="ntuser.dat") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="desktop.ini") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="CONFIG.SYS") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="RECYCLER") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="bootmgr") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="programdata") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="appdata") returned 1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="program files") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="program files (x86)") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="microsoft") returned -1 [0297.244] lstrcmpiW (lpString1="downloader.dll", lpString2="sophos") returned -1 [0297.244] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1278 [0297.244] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0297.245] PathFindExtensionW (pszPath="downloader.dll") returned=".dll" [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.245] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.245] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea381b2a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea381b2a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9d2c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="...") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="windows") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="$RECYCLE.BIN") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="rsa") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="NTDETECT.COM") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntldr") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="MSDOS.SYS") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="IO.SYS") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="boot.ini") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntuser.dat") returned -1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="desktop.ini") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="CONFIG.SYS") returned 1 [0297.245] lstrcmpiW (lpString1="DW20.EXE", lpString2="RECYCLER") returned -1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="BOOTSECT.BAK") returned 1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="bootmgr") returned 1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="programdata") returned -1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="appdata") returned 1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files") returned -1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files (x86)") returned -1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="microsoft") returned -1 [0297.246] lstrcmpiW (lpString1="DW20.EXE", lpString2="sophos") returned -1 [0297.246] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0297.246] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.246] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0297.246] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0297.246] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea385605, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea385605, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xc2c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="DWDCW20.DLL", cAlternateFileName="")) returned 1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2=".") returned 1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="..") returned 1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="...") returned 1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="windows") returned -1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="$RECYCLE.BIN") returned 1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="rsa") returned -1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="NTDETECT.COM") returned -1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="ntldr") returned -1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="MSDOS.SYS") returned -1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="IO.SYS") returned -1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="boot.ini") returned 1 [0297.246] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="AUTOEXEC.BAT") returned 1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="ntuser.dat") returned -1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="desktop.ini") returned 1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="CONFIG.SYS") returned 1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="RECYCLER") returned -1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="BOOTSECT.BAK") returned 1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="bootmgr") returned 1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="programdata") returned -1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="appdata") returned 1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="program files") returned -1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="program files (x86)") returned -1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="microsoft") returned -1 [0297.247] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="sophos") returned -1 [0297.247] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.247] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d2330 | out: hHeap=0x28d0000) returned 1 [0297.247] PathFindExtensionW (pszPath="DWDCW20.DLL") returned=".DLL" [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".exe") returned -1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".log") returned -1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".cab") returned 1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".cmd") returned 1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".com") returned 1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".cpl") returned 1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".ini") returned -1 [0297.247] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0297.247] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea386943, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea386943, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xb2c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0297.247] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2=".") returned 1 [0297.247] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="..") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="...") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="windows") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="$RECYCLE.BIN") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="rsa") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="NTDETECT.COM") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="ntldr") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="MSDOS.SYS") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="IO.SYS") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="boot.ini") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="ntuser.dat") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="desktop.ini") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="CONFIG.SYS") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="RECYCLER") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="BOOTSECT.BAK") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="bootmgr") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="programdata") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="appdata") returned 1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="program files") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="program files (x86)") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="microsoft") returned -1 [0297.248] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="sophos") returned -1 [0297.248] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1278 [0297.248] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.248] PathFindExtensionW (pszPath="DWTRIG20.EXE") returned=".EXE" [0297.248] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0297.249] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea387cd0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea387cd0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2652, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="EnableWiFiTracing.cmd", cAlternateFileName="ENABLE~1.CMD")) returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2=".") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="..") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="...") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="windows") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="$RECYCLE.BIN") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="rsa") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="NTDETECT.COM") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="ntldr") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="MSDOS.SYS") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="IO.SYS") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="boot.ini") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="ntuser.dat") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="desktop.ini") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="CONFIG.SYS") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="RECYCLER") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="BOOTSECT.BAK") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="bootmgr") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="programdata") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="appdata") returned 1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="program files") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="program files (x86)") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="microsoft") returned -1 [0297.249] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="sophos") returned -1 [0297.250] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0297.250] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.250] PathFindExtensionW (pszPath="EnableWiFiTracing.cmd") returned=".cmd" [0297.250] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0297.250] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0297.250] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0297.250] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0297.250] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea389060, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea389060, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x10cc8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="ESDHelper.dll", cAlternateFileName="ESDHEL~1.DLL")) returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2=".") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="..") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="...") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="windows") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="rsa") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="NTDETECT.COM") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="ntldr") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="MSDOS.SYS") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="IO.SYS") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="boot.ini") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="ntuser.dat") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="desktop.ini") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="CONFIG.SYS") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="RECYCLER") returned -1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.250] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="bootmgr") returned 1 [0297.251] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="programdata") returned -1 [0297.251] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="appdata") returned 1 [0297.251] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="program files") returned -1 [0297.251] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="program files (x86)") returned -1 [0297.251] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="microsoft") returned -1 [0297.251] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="sophos") returned -1 [0297.251] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de788 [0297.251] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.251] PathFindExtensionW (pszPath="ESDHelper.dll") returned=".dll" [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.251] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.251] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38cadd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38cadd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9ec8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="esdstub.dll", cAlternateFileName="")) returned 1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2=".") returned 1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2="..") returned 1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2="...") returned 1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2="windows") returned -1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2="rsa") returned -1 [0297.251] lstrcmpiW (lpString1="esdstub.dll", lpString2="NTDETECT.COM") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="ntldr") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="MSDOS.SYS") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="IO.SYS") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="boot.ini") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="ntuser.dat") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="desktop.ini") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="CONFIG.SYS") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="RECYCLER") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="bootmgr") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="programdata") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="appdata") returned 1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="program files") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="program files (x86)") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="microsoft") returned -1 [0297.252] lstrcmpiW (lpString1="esdstub.dll", lpString2="sophos") returned -1 [0297.252] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.252] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0297.252] PathFindExtensionW (pszPath="esdstub.dll") returned=".dll" [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.252] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.253] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.253] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38de7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38de7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x89ec8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="GatherOSState.EXE", cAlternateFileName="GATHER~1.EXE")) returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2=".") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="..") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="...") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="windows") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="$RECYCLE.BIN") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="rsa") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="NTDETECT.COM") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="ntldr") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="MSDOS.SYS") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="IO.SYS") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="boot.ini") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="ntuser.dat") returned -1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="desktop.ini") returned 1 [0297.253] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="CONFIG.SYS") returned 1 [0297.307] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="RECYCLER") returned -1 [0297.307] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="BOOTSECT.BAK") returned 1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="bootmgr") returned 1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="programdata") returned -1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="appdata") returned 1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="program files") returned -1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="program files (x86)") returned -1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="microsoft") returned -1 [0297.308] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="sophos") returned -1 [0297.308] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d1278 [0297.308] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d14b8 | out: hHeap=0x28d0000) returned 1 [0297.352] PathFindExtensionW (pszPath="GatherOSState.EXE") returned=".EXE" [0297.374] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0297.423] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39058e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39058e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x83cc8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="GetCurrentDeploy.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0297.423] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2=".") returned 1 [0297.423] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="..") returned 1 [0297.423] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="...") returned 1 [0297.423] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="windows") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="rsa") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="NTDETECT.COM") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="ntldr") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="MSDOS.SYS") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="IO.SYS") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="boot.ini") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="ntuser.dat") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="desktop.ini") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="CONFIG.SYS") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="RECYCLER") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="bootmgr") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="programdata") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="appdata") returned 1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="program files") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="program files (x86)") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="microsoft") returned -1 [0297.424] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="sophos") returned -1 [0297.424] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0297.424] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d1278 | out: hHeap=0x28d0000) returned 1 [0297.424] PathFindExtensionW (pszPath="GetCurrentDeploy.dll") returned=".dll" [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.425] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.425] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea392ca4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea392ca4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~2.DLL")) returned 1 [0297.425] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0297.425] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="...") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$RECYCLE.BIN") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="rsa") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="NTDETECT.COM") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntldr") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="MSDOS.SYS") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="IO.SYS") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="boot.ini") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="AUTOEXEC.BAT") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntuser.dat") returned -1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="desktop.ini") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="CONFIG.SYS") returned 1 [0297.426] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="RECYCLER") returned -1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="BOOTSECT.BAK") returned 1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="bootmgr") returned 1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="programdata") returned -1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="appdata") returned 1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files") returned -1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files (x86)") returned -1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="microsoft") returned -1 [0297.427] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="sophos") returned -1 [0297.427] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de788 [0297.427] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.427] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0297.427] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0297.428] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0297.428] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39539e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39539e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x11ec8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="GetCurrentRollback.EXE", cAlternateFileName="GETCUR~1.EXE")) returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2=".") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="..") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="...") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="windows") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="$RECYCLE.BIN") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="rsa") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="NTDETECT.COM") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="ntldr") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="MSDOS.SYS") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="IO.SYS") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="boot.ini") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="ntuser.dat") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="desktop.ini") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="CONFIG.SYS") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="RECYCLER") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="BOOTSECT.BAK") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="bootmgr") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="programdata") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="appdata") returned 1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="program files") returned -1 [0297.428] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="program files (x86)") returned -1 [0297.429] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="microsoft") returned -1 [0297.429] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="sophos") returned -1 [0297.429] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28de720 [0297.429] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0297.429] PathFindExtensionW (pszPath="GetCurrentRollback.EXE") returned=".EXE" [0297.429] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0297.429] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39673d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39673d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x6cc8, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="HttpHelper.exe", cAlternateFileName="HTTPHE~1.EXE")) returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2=".") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="..") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="...") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="windows") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="$RECYCLE.BIN") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="rsa") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="NTDETECT.COM") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="ntldr") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="MSDOS.SYS") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="IO.SYS") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="boot.ini") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="AUTOEXEC.BAT") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="ntuser.dat") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="desktop.ini") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="CONFIG.SYS") returned 1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="RECYCLER") returned -1 [0297.429] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="BOOTSECT.BAK") returned 1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="bootmgr") returned 1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="programdata") returned -1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="appdata") returned 1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="program files") returned -1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="program files (x86)") returned -1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="microsoft") returned -1 [0297.430] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="sophos") returned -1 [0297.430] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de788 [0297.430] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.430] PathFindExtensionW (pszPath="HttpHelper.exe") returned=".exe" [0297.430] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0297.430] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="PostOOBEScript.cmd", cAlternateFileName="POSTOO~1.CMD")) returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2=".") returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="..") returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="...") returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="windows") returned -1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="$RECYCLE.BIN") returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="rsa") returned -1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="NTDETECT.COM") returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="ntldr") returned 1 [0297.430] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="MSDOS.SYS") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="IO.SYS") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="boot.ini") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="ntuser.dat") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="desktop.ini") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="CONFIG.SYS") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="RECYCLER") returned -1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="BOOTSECT.BAK") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="bootmgr") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="programdata") returned -1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="appdata") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="program files") returned -1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="program files (x86)") returned -1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="microsoft") returned 1 [0297.431] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="sophos") returned -1 [0297.431] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.431] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de788 | out: hHeap=0x28d0000) returned 1 [0297.431] PathFindExtensionW (pszPath="PostOOBEScript.cmd") returned=".cmd" [0297.431] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0297.431] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0297.431] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0297.431] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0297.431] FindNextFileW (in: hFindFile=0xa2f8e0, lpFindFileData=0x26ef398 | out: lpFindFileData=0x26ef398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="resources", cAlternateFileName="RESOUR~1")) returned 1 [0297.431] lstrcmpiW (lpString1="resources", lpString2=".") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="..") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="...") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="windows") returned -1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="$RECYCLE.BIN") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="rsa") returned -1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="NTDETECT.COM") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="ntldr") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="MSDOS.SYS") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="IO.SYS") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="boot.ini") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="AUTOEXEC.BAT") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="ntuser.dat") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="desktop.ini") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="CONFIG.SYS") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="RECYCLER") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="BOOTSECT.BAK") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="bootmgr") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="programdata") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="appdata") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="program files") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="program files (x86)") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="microsoft") returned 1 [0297.432] lstrcmpiW (lpString1="resources", lpString2="sophos") returned -1 [0297.432] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d14b8 [0297.432] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0297.432] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d2330 [0297.432] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28d1278 [0297.433] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0297.454] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\*.*", lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f720 [0297.455] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.455] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0297.455] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.455] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.455] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a5195, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0297.455] lstrcmpiW (lpString1="amd64", lpString2=".") returned 1 [0297.455] lstrcmpiW (lpString1="amd64", lpString2="..") returned 1 [0297.455] lstrcmpiW (lpString1="amd64", lpString2="...") returned 1 [0297.455] lstrcmpiW (lpString1="amd64", lpString2="windows") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="$RECYCLE.BIN") returned 1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="rsa") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="NTDETECT.COM") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="ntldr") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="MSDOS.SYS") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="IO.SYS") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="boot.ini") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="AUTOEXEC.BAT") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="ntuser.dat") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="desktop.ini") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="CONFIG.SYS") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="RECYCLER") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="BOOTSECT.BAK") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="bootmgr") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="programdata") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="appdata") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="program files") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="program files (x86)") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="microsoft") returned -1 [0297.456] lstrcmpiW (lpString1="amd64", lpString2="sophos") returned -1 [0297.502] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0297.502] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0297.502] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0297.502] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0297.502] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0297.502] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a652e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0297.508] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0297.508] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a652e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0297.508] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0297.508] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0297.508] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39b5b0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39b5b0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16ebc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0297.508] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0297.508] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0297.508] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="...") returned 1 [0297.508] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="$RECYCLE.BIN") returned 1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="rsa") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTDETECT.COM") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntldr") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="MSDOS.SYS") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="IO.SYS") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot.ini") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="AUTOEXEC.BAT") returned 1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntuser.dat") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="desktop.ini") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="CONFIG.SYS") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="RECYCLER") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="BOOTSECT.BAK") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="programdata") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="appdata") returned 1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files (x86)") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="microsoft") returned -1 [0297.509] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="sophos") returned -1 [0297.509] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd18 [0297.509] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.509] PathFindExtensionW (pszPath="BiosBlocks.xml") returned=".xml" [0297.509] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0297.510] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0297.510] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0297.510] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0297.510] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.513] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=93884) returned 1 [0297.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.513] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.513] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23830 [0297.513] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0297.513] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23830*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23830*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.514] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.652] GetTickCount () returned 0x118a72b [0297.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea18 [0297.652] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea18 | out: hHeap=0x28d0000) returned 1 [0297.653] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16ebc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.685] SetLastError (dwErrCode=0x0) [0297.708] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23830*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.710] GetLastError () returned 0x0 [0297.710] GetLastError () returned 0x0 [0297.710] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16fbc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.710] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.711] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x170bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.733] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7c8a484, dwHighDateTime=0x1d5fd73)) [0297.733] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0297.733] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.824] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.824] GetProcessHeap () returned 0xa10000 [0297.824] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16ebc) returned 0xa3e6a0 [0297.849] GetSystemDefaultLangID () returned 0xa20409 [0297.849] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.849] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x16ebc, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x16ebc, lpOverlapped=0x0) returned 1 [0297.857] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.857] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x16ebc, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x16ebc, lpOverlapped=0x0) returned 1 [0297.858] GetProcessHeap () returned 0xa10000 [0297.858] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0297.858] CloseHandle (hObject=0x26c) returned 1 [0297.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23830 | out: hHeap=0x28d0000) returned 1 [0297.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0297.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.858] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.858] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe08 [0297.880] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml.nefilim")) returned 1 [0297.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0297.882] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0297.882] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39c8ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39c8ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x11daf, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="...") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="$RECYCLE.BIN") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="rsa") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTDETECT.COM") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntldr") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="MSDOS.SYS") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="IO.SYS") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot.ini") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="AUTOEXEC.BAT") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntuser.dat") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="desktop.ini") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="CONFIG.SYS") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="RECYCLER") returned -1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="BOOTSECT.BAK") returned 1 [0297.882] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="programdata") returned -1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="appdata") returned 1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files") returned -1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files (x86)") returned -1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="microsoft") returned -1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="sophos") returned -1 [0297.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0297.883] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0297.883] PathFindExtensionW (pszPath="hwcompat.txt") returned=".txt" [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0297.883] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0297.883] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0297.883] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0297.884] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.884] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=73135) returned 1 [0297.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.884] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.884] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0297.884] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0297.884] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.885] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.885] GetTickCount () returned 0x118a815 [0297.885] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c8 [0297.885] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c8 | out: hHeap=0x28d0000) returned 1 [0297.885] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11daf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.885] SetLastError (dwErrCode=0x0) [0297.885] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.908] GetLastError () returned 0x0 [0297.908] GetLastError () returned 0x0 [0297.908] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11eaf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.908] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.908] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11faf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.908] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7e15bc8, dwHighDateTime=0x1d5fd73)) [0297.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd38 [0297.908] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0297.908] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.908] GetProcessHeap () returned 0xa10000 [0297.908] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x11daf) returned 0xa3e6a0 [0297.908] GetSystemDefaultLangID () returned 0xa20409 [0297.908] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.908] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x11daf, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x11daf, lpOverlapped=0x0) returned 1 [0297.918] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.918] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x11daf, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x11daf, lpOverlapped=0x0) returned 1 [0297.919] GetProcessHeap () returned 0xa10000 [0297.919] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0297.919] CloseHandle (hObject=0x26c) returned 1 [0297.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0297.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0297.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.919] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.919] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe08 [0297.919] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt.nefilim")) returned 1 [0297.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0297.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.920] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39dcc9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39dcc9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x90d, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="...") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="$RECYCLE.BIN") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="rsa") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTDETECT.COM") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntldr") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="MSDOS.SYS") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="IO.SYS") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot.ini") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="AUTOEXEC.BAT") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntuser.dat") returned -1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="desktop.ini") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="CONFIG.SYS") returned 1 [0297.920] lstrcmpiW (lpString1="hwexclude.txt", lpString2="RECYCLER") returned -1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="BOOTSECT.BAK") returned 1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="programdata") returned -1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="appdata") returned 1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files") returned -1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files (x86)") returned -1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="microsoft") returned -1 [0297.921] lstrcmpiW (lpString1="hwexclude.txt", lpString2="sophos") returned -1 [0297.921] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0297.921] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0297.921] PathFindExtensionW (pszPath="hwexclude.txt") returned=".txt" [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0297.921] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0297.922] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0297.922] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0297.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd38 [0297.922] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.922] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=2317) returned 1 [0297.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.922] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.922] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.922] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0297.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d229c0 [0297.923] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.923] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d229c0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d229c0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.923] GetTickCount () returned 0x118a834 [0297.923] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de938 [0297.923] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de938 | out: hHeap=0x28d0000) returned 1 [0297.923] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x90d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.923] SetLastError (dwErrCode=0x0) [0297.923] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.928] GetLastError () returned 0x0 [0297.928] GetLastError () returned 0x0 [0297.928] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.928] WriteFile (in: hFile=0x26c, lpBuffer=0x2d229c0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d229c0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.928] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xb0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.928] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7e61ffc, dwHighDateTime=0x1d5fd73)) [0297.928] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdb0 [0297.928] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0297.928] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.928] GetProcessHeap () returned 0xa10000 [0297.928] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x90d) returned 0xa34b88 [0297.928] GetSystemDefaultLangID () returned 0xa20409 [0297.928] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.928] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x90d, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x90d, lpOverlapped=0x0) returned 1 [0297.929] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.929] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x90d, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x90d, lpOverlapped=0x0) returned 1 [0297.929] GetProcessHeap () returned 0xa10000 [0297.929] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0297.929] CloseHandle (hObject=0x26c) returned 1 [0297.929] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0297.929] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d229c0 | out: hHeap=0x28d0000) returned 1 [0297.929] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.929] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.929] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdb0 [0297.929] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt.nefilim")) returned 1 [0297.930] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0297.930] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0297.930] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39eff9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39eff9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x26b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="...") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="$RECYCLE.BIN") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="rsa") returned -1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTDETECT.COM") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntldr") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="MSDOS.SYS") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="IO.SYS") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot.ini") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="AUTOEXEC.BAT") returned 1 [0297.930] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntuser.dat") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="desktop.ini") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="CONFIG.SYS") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="RECYCLER") returned -1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="BOOTSECT.BAK") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="programdata") returned -1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="appdata") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files") returned -1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files (x86)") returned -1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="microsoft") returned 1 [0297.931] lstrcmpiW (lpString1="nxquery.cat", lpString2="sophos") returned -1 [0297.931] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd38 [0297.931] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.931] PathFindExtensionW (pszPath="nxquery.cat") returned=".cat" [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".exe") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".log") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".cab") returned 1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".cmd") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".com") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".cpl") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".url") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".ttf") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".mp3") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".pif") returned -1 [0297.931] lstrcmpiW (lpString1=".cat", lpString2=".mp4") returned -1 [0297.932] lstrcmpiW (lpString1=".cat", lpString2=".NEFILIM") returned -1 [0297.932] lstrcmpiW (lpString1=".cat", lpString2=".msi") returned -1 [0297.932] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0297.932] lstrcmpiW (lpString1="nxquery.cat", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0297.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.932] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0297.932] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=9910) returned 1 [0297.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0297.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0297.932] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0297.933] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0297.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23620 [0297.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0297.933] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23620*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23620*, pdwDataLen=0x26eec08*=0x100) returned 1 [0297.933] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x100) returned 1 [0297.933] GetTickCount () returned 0x118a844 [0297.933] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deac0 [0297.933] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deac0 | out: hHeap=0x28d0000) returned 1 [0297.934] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x26b6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.934] SetLastError (dwErrCode=0x0) [0297.934] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23620*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.940] GetLastError () returned 0x0 [0297.940] GetLastError () returned 0x0 [0297.940] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x27b6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.940] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0297.940] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x28b6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.940] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7e61ffc, dwHighDateTime=0x1d5fd73)) [0297.940] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0297.940] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0297.940] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0297.940] GetProcessHeap () returned 0xa10000 [0297.940] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x26b6) returned 0xa3e6a0 [0297.940] GetSystemDefaultLangID () returned 0xa20409 [0297.940] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.940] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x26b6, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x26b6, lpOverlapped=0x0) returned 1 [0297.995] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0297.995] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x26b6, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x26b6, lpOverlapped=0x0) returned 1 [0297.996] GetProcessHeap () returned 0xa10000 [0297.996] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0297.996] CloseHandle (hObject=0x26c) returned 1 [0297.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23620 | out: hHeap=0x28d0000) returned 1 [0297.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0297.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0297.996] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0297.996] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0297.996] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat.nefilim")) returned 1 [0297.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0297.997] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0297.997] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a3e27, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a3e27, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="...") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="$RECYCLE.BIN") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="rsa") returned -1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTDETECT.COM") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntldr") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="MSDOS.SYS") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="IO.SYS") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot.ini") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="AUTOEXEC.BAT") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntuser.dat") returned 1 [0297.997] lstrcmpiW (lpString1="nxquery.inf", lpString2="desktop.ini") returned 1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="CONFIG.SYS") returned 1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="RECYCLER") returned -1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="BOOTSECT.BAK") returned 1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="programdata") returned -1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="appdata") returned 1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files") returned -1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files (x86)") returned -1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="microsoft") returned 1 [0297.998] lstrcmpiW (lpString1="nxquery.inf", lpString2="sophos") returned -1 [0297.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0297.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0297.998] PathFindExtensionW (pszPath="nxquery.inf") returned=".inf" [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".exe") returned 1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".log") returned -1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".cab") returned 1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".cmd") returned 1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".com") returned 1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".cpl") returned 1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".url") returned -1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".ttf") returned -1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".mp3") returned -1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".pif") returned -1 [0297.998] lstrcmpiW (lpString1=".inf", lpString2=".mp4") returned -1 [0297.999] lstrcmpiW (lpString1=".inf", lpString2=".NEFILIM") returned -1 [0297.999] lstrcmpiW (lpString1=".inf", lpString2=".msi") returned -1 [0297.999] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0297.999] lstrcmpiW (lpString1="nxquery.inf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0297.999] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0297.999] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0298.000] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=1495) returned 1 [0298.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0298.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0298.000] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0298.000] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0298.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22288 [0298.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d225a0 [0298.000] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22288*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22288*, pdwDataLen=0x26eec08*=0x100) returned 1 [0298.001] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d225a0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d225a0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0298.001] GetTickCount () returned 0x118a882 [0298.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deba0 [0298.001] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deba0 | out: hHeap=0x28d0000) returned 1 [0298.001] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.001] SetLastError (dwErrCode=0x0) [0298.001] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22288*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.008] GetLastError () returned 0x0 [0298.008] GetLastError () returned 0x0 [0298.008] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.009] WriteFile (in: hFile=0x26c, lpBuffer=0x2d225a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d225a0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.009] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.009] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7f20afb, dwHighDateTime=0x1d5fd73)) [0298.009] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0298.009] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0298.009] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0298.009] GetProcessHeap () returned 0xa10000 [0298.009] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5d7) returned 0xa34b88 [0298.009] GetSystemDefaultLangID () returned 0xa20409 [0298.009] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.009] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x5d7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x5d7, lpOverlapped=0x0) returned 1 [0298.009] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.009] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x5d7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x5d7, lpOverlapped=0x0) returned 1 [0298.010] GetProcessHeap () returned 0xa10000 [0298.010] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0298.010] CloseHandle (hObject=0x26c) returned 1 [0298.010] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22288 | out: hHeap=0x28d0000) returned 1 [0298.010] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d225a0 | out: hHeap=0x28d0000) returned 1 [0298.010] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0298.010] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0298.010] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0298.010] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf.nefilim")) returned 1 [0298.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0298.011] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0298.011] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="...") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="$RECYCLE.BIN") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="rsa") returned -1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTDETECT.COM") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntldr") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="MSDOS.SYS") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="IO.SYS") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot.ini") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="AUTOEXEC.BAT") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntuser.dat") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="desktop.ini") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="CONFIG.SYS") returned 1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="RECYCLER") returned -1 [0298.011] lstrcmpiW (lpString1="NXQuery.sys", lpString2="BOOTSECT.BAK") returned 1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="programdata") returned -1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="appdata") returned 1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files") returned -1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files (x86)") returned -1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="microsoft") returned 1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="sophos") returned -1 [0298.012] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0298.012] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0298.012] PathFindExtensionW (pszPath="NXQuery.sys") returned=".sys" [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0298.012] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0298.012] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0298.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0298.013] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0298.013] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=20656) returned 1 [0298.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0298.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0298.013] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0298.013] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0298.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0298.013] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0298.013] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0298.014] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26eec04*=0x100) returned 1 [0298.016] GetTickCount () returned 0x118a892 [0298.016] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de970 [0298.016] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de970 | out: hHeap=0x28d0000) returned 1 [0298.016] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x50b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.016] SetLastError (dwErrCode=0x0) [0298.016] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.045] GetLastError () returned 0x0 [0298.045] GetLastError () returned 0x0 [0298.046] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x51b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.046] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.046] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.046] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd7f6cfb7, dwHighDateTime=0x1d5fd73)) [0298.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0298.046] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0298.046] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0298.046] GetProcessHeap () returned 0xa10000 [0298.046] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x50b0) returned 0xa3e6a0 [0298.048] GetSystemDefaultLangID () returned 0xa20409 [0298.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.048] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x50b0, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x50b0, lpOverlapped=0x0) returned 1 [0298.216] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.216] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x50b0, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x50b0, lpOverlapped=0x0) returned 1 [0298.216] GetProcessHeap () returned 0xa10000 [0298.233] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0298.233] CloseHandle (hObject=0x26c) returned 1 [0298.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0298.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0298.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0298.258] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0298.258] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0298.258] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.sys"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.sys.nefilim")) returned 1 [0298.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0298.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0298.259] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0298.259] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0298.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0298.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0298.259] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0298.259] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a78b4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a78b4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xc981b, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwcompatShared.txt", cAlternateFileName="HWCOMP~1.TXT")) returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2=".") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="..") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="...") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="windows") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="$RECYCLE.BIN") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="rsa") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="NTDETECT.COM") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="ntldr") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="MSDOS.SYS") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="IO.SYS") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="boot.ini") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="AUTOEXEC.BAT") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="ntuser.dat") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="desktop.ini") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="CONFIG.SYS") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="RECYCLER") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="BOOTSECT.BAK") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="bootmgr") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="programdata") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="appdata") returned 1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="program files") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="program files (x86)") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="microsoft") returned -1 [0298.277] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="sophos") returned -1 [0298.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28de778 [0298.277] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0298.278] PathFindExtensionW (pszPath="hwcompatShared.txt") returned=".txt" [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0298.278] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0298.278] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0298.278] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0298.278] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0298.297] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x26eef68 | out: lpFileSize=0x26eef68*=825371) returned 1 [0298.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0298.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0298.298] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0298.298] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0298.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0298.298] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22de0 [0298.316] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26eef28*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26eef28*=0x100) returned 1 [0298.317] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22de0*, pdwDataLen=0x26eef24*=0x10, dwBufLen=0x100 | out: pbData=0x2d22de0*, pdwDataLen=0x26eef24*=0x100) returned 1 [0298.317] GetTickCount () returned 0x118a9ca [0298.317] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea18 [0298.318] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea18 | out: hHeap=0x28d0000) returned 1 [0298.318] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xc981b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.352] SetLastError (dwErrCode=0x0) [0298.352] WriteFile (in: hFile=0x23c, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0298.402] GetLastError () returned 0x0 [0298.402] GetLastError () returned 0x0 [0298.402] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xc991b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.402] WriteFile (in: hFile=0x23c, lpBuffer=0x2d22de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x2d22de0*, lpNumberOfBytesWritten=0x26eef80*=0x100, lpOverlapped=0x0) returned 1 [0298.402] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xc9a1b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.402] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eef3c | out: lpSystemTimeAsFileTime=0x26eef3c*(dwLowDateTime=0xd82eb632, dwHighDateTime=0x1d5fd73)) [0298.402] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28de720 [0298.403] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0298.465] WriteFile (in: hFile=0x23c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eef80*=0x7, lpOverlapped=0x0) returned 1 [0298.465] GetProcessHeap () returned 0xa10000 [0298.465] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xc981b) returned 0xc15020 [0298.469] GetSystemDefaultLangID () returned 0xa20409 [0298.469] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.469] ReadFile (in: hFile=0x23c, lpBuffer=0xc15020, nNumberOfBytesToRead=0xc981b, lpNumberOfBytesRead=0x26eef8c, lpOverlapped=0x0 | out: lpBuffer=0xc15020*, lpNumberOfBytesRead=0x26eef8c*=0xc981b, lpOverlapped=0x0) returned 1 [0298.638] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.638] WriteFile (in: hFile=0x23c, lpBuffer=0xc15020*, nNumberOfBytesToWrite=0xc981b, lpNumberOfBytesWritten=0x26eef80, lpOverlapped=0x0 | out: lpBuffer=0xc15020*, lpNumberOfBytesWritten=0x26eef80*=0xc981b, lpOverlapped=0x0) returned 1 [0298.641] GetProcessHeap () returned 0xa10000 [0298.641] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xc15020 | out: hHeap=0xa10000) returned 1 [0298.646] CloseHandle (hObject=0x23c) returned 1 [0298.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0298.646] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22de0 | out: hHeap=0x28d0000) returned 1 [0298.647] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0298.647] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0298.647] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbd38 [0298.647] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt.nefilim")) returned 1 [0298.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0298.648] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0298.648] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b1515, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i386", cAlternateFileName="")) returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2=".") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="..") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="...") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="windows") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="$RECYCLE.BIN") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="rsa") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="NTDETECT.COM") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="ntldr") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="MSDOS.SYS") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="IO.SYS") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="boot.ini") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="AUTOEXEC.BAT") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="ntuser.dat") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="desktop.ini") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="CONFIG.SYS") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="RECYCLER") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="BOOTSECT.BAK") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="bootmgr") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="programdata") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="appdata") returned 1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="program files") returned -1 [0298.648] lstrcmpiW (lpString1="i386", lpString2="program files (x86)") returned -1 [0298.649] lstrcmpiW (lpString1="i386", lpString2="microsoft") returned -1 [0298.649] lstrcmpiW (lpString1="i386", lpString2="sophos") returned -1 [0298.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0298.649] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0298.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0298.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0298.649] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0298.649] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\i386\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b2895, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f6a0 [0298.651] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0298.651] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b2895, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0298.651] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0298.651] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0298.651] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ab347, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ab347, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16600, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="...") returned 1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="$RECYCLE.BIN") returned 1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="rsa") returned -1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTDETECT.COM") returned -1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntldr") returned -1 [0298.651] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="MSDOS.SYS") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="IO.SYS") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot.ini") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="AUTOEXEC.BAT") returned 1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntuser.dat") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="desktop.ini") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="CONFIG.SYS") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="RECYCLER") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="BOOTSECT.BAK") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="programdata") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="appdata") returned 1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files (x86)") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="microsoft") returned -1 [0298.652] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="sophos") returned -1 [0298.652] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd18 [0298.652] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0298.652] PathFindExtensionW (pszPath="BiosBlocks.xml") returned=".xml" [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0298.652] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0298.653] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0298.653] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0298.653] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0298.653] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0298.653] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0298.653] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0298.653] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0298.653] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0298.654] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=91648) returned 1 [0298.654] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0298.654] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0298.654] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0298.654] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0298.654] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0298.654] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23620 [0298.654] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0298.656] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23620*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23620*, pdwDataLen=0x26eec04*=0x100) returned 1 [0298.658] GetTickCount () returned 0x118ab13 [0298.658] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de890 [0298.658] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de890 | out: hHeap=0x28d0000) returned 1 [0298.658] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.658] SetLastError (dwErrCode=0x0) [0298.658] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.718] GetLastError () returned 0x0 [0298.718] GetLastError () returned 0x0 [0298.719] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.719] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23620*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.719] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.719] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd85d558e, dwHighDateTime=0x1d5fd73)) [0298.719] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0298.719] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0298.719] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0298.719] GetProcessHeap () returned 0xa10000 [0298.719] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x16600) returned 0xa3e6a0 [0298.719] GetSystemDefaultLangID () returned 0xa20409 [0298.719] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.719] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x16600, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x16600, lpOverlapped=0x0) returned 1 [0298.828] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.847] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x16600, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x16600, lpOverlapped=0x0) returned 1 [0298.848] GetProcessHeap () returned 0xa10000 [0298.849] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0298.849] CloseHandle (hObject=0x26c) returned 1 [0298.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0298.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23620 | out: hHeap=0x28d0000) returned 1 [0298.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0298.849] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0298.849] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe08 [0298.887] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml.nefilim")) returned 1 [0298.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe08 | out: hHeap=0x28d0000) returned 1 [0298.888] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0298.888] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ac6e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ac6e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4071, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0298.888] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0298.888] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0298.888] lstrcmpiW (lpString1="hwcompat.txt", lpString2="...") returned 1 [0298.888] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="$RECYCLE.BIN") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="rsa") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTDETECT.COM") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntldr") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="MSDOS.SYS") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="IO.SYS") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot.ini") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="AUTOEXEC.BAT") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntuser.dat") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="desktop.ini") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="CONFIG.SYS") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="RECYCLER") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="BOOTSECT.BAK") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="programdata") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="appdata") returned 1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files (x86)") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="microsoft") returned -1 [0298.889] lstrcmpiW (lpString1="hwcompat.txt", lpString2="sophos") returned -1 [0298.889] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd90 [0298.889] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0298.906] PathFindExtensionW (pszPath="hwcompat.txt") returned=".txt" [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0298.906] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0298.907] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0298.907] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0298.907] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0298.907] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0298.907] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0298.907] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0298.908] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=16497) returned 1 [0298.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0298.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0298.908] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0298.908] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0298.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0298.908] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0298.908] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26eec08*=0x100) returned 1 [0298.908] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26eec04*=0x100) returned 1 [0298.911] GetTickCount () returned 0x118ac1c [0298.911] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deba0 [0298.911] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deba0 | out: hHeap=0x28d0000) returned 1 [0298.911] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4071, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.911] SetLastError (dwErrCode=0x0) [0298.911] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.931] GetLastError () returned 0x0 [0298.931] GetLastError () returned 0x0 [0298.931] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4171, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.931] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0298.932] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4271, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.932] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd87eb5d5, dwHighDateTime=0x1d5fd73)) [0298.932] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0298.932] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0298.932] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0298.932] GetProcessHeap () returned 0xa10000 [0298.932] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4071) returned 0xa3e6a0 [0298.934] GetSystemDefaultLangID () returned 0xa20409 [0298.934] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.934] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x4071, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x4071, lpOverlapped=0x0) returned 1 [0298.979] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.979] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x4071, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x4071, lpOverlapped=0x0) returned 1 [0298.979] GetProcessHeap () returned 0xa10000 [0298.979] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0298.979] CloseHandle (hObject=0x26c) returned 1 [0298.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0298.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0298.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0298.979] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0298.979] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbdf8 [0298.980] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt.nefilim")) returned 1 [0298.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdf8 | out: hHeap=0x28d0000) returned 1 [0298.980] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0298.980] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ada69, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ada69, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8d7, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2="...") returned 1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2="$RECYCLE.BIN") returned 1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2="rsa") returned -1 [0298.980] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTDETECT.COM") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntldr") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="MSDOS.SYS") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="IO.SYS") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot.ini") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="AUTOEXEC.BAT") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntuser.dat") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="desktop.ini") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="CONFIG.SYS") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="RECYCLER") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="BOOTSECT.BAK") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="programdata") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="appdata") returned 1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files (x86)") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="microsoft") returned -1 [0298.981] lstrcmpiW (lpString1="hwexclude.txt", lpString2="sophos") returned -1 [0298.981] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0298.981] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0298.981] PathFindExtensionW (pszPath="hwexclude.txt") returned=".txt" [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0298.981] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0298.982] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0298.982] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0298.982] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0298.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd38 [0298.982] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0298.982] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=2263) returned 1 [0298.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0298.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0298.982] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0298.982] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0298.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0298.982] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23d58 [0298.982] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0298.983] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23d58*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23d58*, pdwDataLen=0x26eec04*=0x100) returned 1 [0298.983] GetTickCount () returned 0x118ac5b [0298.983] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf8 [0298.983] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf8 | out: hHeap=0x28d0000) returned 1 [0298.983] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0298.983] SetLastError (dwErrCode=0x0) [0298.983] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.035] GetLastError () returned 0x0 [0299.035] GetLastError () returned 0x0 [0299.035] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.035] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23d58*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.035] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xad7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.035] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd88f664f, dwHighDateTime=0x1d5fd73)) [0299.035] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdb0 [0299.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0299.036] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0299.036] GetProcessHeap () returned 0xa10000 [0299.036] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x8d7) returned 0xa34b88 [0299.036] GetSystemDefaultLangID () returned 0xa20409 [0299.036] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.036] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x8d7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x8d7, lpOverlapped=0x0) returned 1 [0299.036] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.036] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x8d7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x8d7, lpOverlapped=0x0) returned 1 [0299.036] GetProcessHeap () returned 0xa10000 [0299.036] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0299.036] CloseHandle (hObject=0x26c) returned 1 [0299.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0299.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23d58 | out: hHeap=0x28d0000) returned 1 [0299.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0299.036] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0299.036] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdb0 [0299.037] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt.nefilim")) returned 1 [0299.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0299.037] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0299.037] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3aedef, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3aedef, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2684, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="...") returned 1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="$RECYCLE.BIN") returned 1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="rsa") returned -1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTDETECT.COM") returned 1 [0299.037] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntldr") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="MSDOS.SYS") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="IO.SYS") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot.ini") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="AUTOEXEC.BAT") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntuser.dat") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="desktop.ini") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="CONFIG.SYS") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="RECYCLER") returned -1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="BOOTSECT.BAK") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="programdata") returned -1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="appdata") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files") returned -1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files (x86)") returned -1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="microsoft") returned 1 [0299.038] lstrcmpiW (lpString1="nxquery.cat", lpString2="sophos") returned -1 [0299.038] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd38 [0299.038] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.038] PathFindExtensionW (pszPath="nxquery.cat") returned=".cat" [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".exe") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".log") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".cab") returned 1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".cmd") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".com") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".cpl") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".url") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".ttf") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".mp3") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".pif") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".mp4") returned -1 [0299.038] lstrcmpiW (lpString1=".cat", lpString2=".NEFILIM") returned -1 [0299.039] lstrcmpiW (lpString1=".cat", lpString2=".msi") returned -1 [0299.039] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0299.039] lstrcmpiW (lpString1="nxquery.cat", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0299.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0299.039] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0299.039] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=9860) returned 1 [0299.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0299.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0299.039] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0299.039] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0299.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0299.039] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22288 [0299.039] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26eec08*=0x100) returned 1 [0299.040] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22288*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22288*, pdwDataLen=0x26eec04*=0x100) returned 1 [0299.040] GetTickCount () returned 0x118ac99 [0299.040] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0299.040] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0299.040] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2684, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.040] SetLastError (dwErrCode=0x0) [0299.040] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.042] GetLastError () returned 0x0 [0299.042] GetLastError () returned 0x0 [0299.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2784, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.042] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22288*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2884, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.042] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd88f664f, dwHighDateTime=0x1d5fd73)) [0299.042] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbda0 [0299.042] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0299.042] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0299.042] GetProcessHeap () returned 0xa10000 [0299.042] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x2684) returned 0xa3e6a0 [0299.042] GetSystemDefaultLangID () returned 0xa20409 [0299.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.042] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x2684, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x2684, lpOverlapped=0x0) returned 1 [0299.043] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.043] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x2684, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x2684, lpOverlapped=0x0) returned 1 [0299.043] GetProcessHeap () returned 0xa10000 [0299.043] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0299.043] CloseHandle (hObject=0x26c) returned 1 [0299.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0299.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22288 | out: hHeap=0x28d0000) returned 1 [0299.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0299.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0299.044] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0299.044] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat.nefilim")) returned 1 [0299.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0299.044] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.044] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b017f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b017f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0299.044] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0299.044] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0299.044] lstrcmpiW (lpString1="nxquery.inf", lpString2="...") returned 1 [0299.044] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0299.044] lstrcmpiW (lpString1="nxquery.inf", lpString2="$RECYCLE.BIN") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="rsa") returned -1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTDETECT.COM") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntldr") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="MSDOS.SYS") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="IO.SYS") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot.ini") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="AUTOEXEC.BAT") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntuser.dat") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="desktop.ini") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="CONFIG.SYS") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="RECYCLER") returned -1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="BOOTSECT.BAK") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="programdata") returned -1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="appdata") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files") returned -1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files (x86)") returned -1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="microsoft") returned 1 [0299.045] lstrcmpiW (lpString1="nxquery.inf", lpString2="sophos") returned -1 [0299.045] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0299.045] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0299.045] PathFindExtensionW (pszPath="nxquery.inf") returned=".inf" [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".exe") returned 1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".log") returned -1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".cab") returned 1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".cmd") returned 1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".com") returned 1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".cpl") returned 1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".url") returned -1 [0299.045] lstrcmpiW (lpString1=".inf", lpString2=".ttf") returned -1 [0299.046] lstrcmpiW (lpString1=".inf", lpString2=".mp3") returned -1 [0299.046] lstrcmpiW (lpString1=".inf", lpString2=".pif") returned -1 [0299.046] lstrcmpiW (lpString1=".inf", lpString2=".mp4") returned -1 [0299.046] lstrcmpiW (lpString1=".inf", lpString2=".NEFILIM") returned -1 [0299.046] lstrcmpiW (lpString1=".inf", lpString2=".msi") returned -1 [0299.046] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0299.046] lstrcmpiW (lpString1="nxquery.inf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0299.046] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0299.046] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0299.047] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=1495) returned 1 [0299.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0299.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0299.047] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0299.047] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0299.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22078 [0299.047] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22180 [0299.047] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22078*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22078*, pdwDataLen=0x26eec08*=0x100) returned 1 [0299.047] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22180*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22180*, pdwDataLen=0x26eec04*=0x100) returned 1 [0299.048] GetTickCount () returned 0x118ac99 [0299.048] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0299.048] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0299.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.048] SetLastError (dwErrCode=0x0) [0299.048] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22078*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.107] GetLastError () returned 0x0 [0299.107] GetLastError () returned 0x0 [0299.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.108] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22180*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.108] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.108] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd898f08c, dwHighDateTime=0x1d5fd73)) [0299.108] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0299.108] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0299.108] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0299.108] GetProcessHeap () returned 0xa10000 [0299.108] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x5d7) returned 0xa34b88 [0299.108] GetSystemDefaultLangID () returned 0xa20409 [0299.108] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.108] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x5d7, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x5d7, lpOverlapped=0x0) returned 1 [0299.108] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.108] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x5d7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x5d7, lpOverlapped=0x0) returned 1 [0299.108] GetProcessHeap () returned 0xa10000 [0299.108] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0299.108] CloseHandle (hObject=0x26c) returned 1 [0299.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22078 | out: hHeap=0x28d0000) returned 1 [0299.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22180 | out: hHeap=0x28d0000) returned 1 [0299.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0299.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0299.109] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0299.109] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf.nefilim")) returned 1 [0299.109] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0299.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0299.110] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="...") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="$RECYCLE.BIN") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="rsa") returned -1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTDETECT.COM") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntldr") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="MSDOS.SYS") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="IO.SYS") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot.ini") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="AUTOEXEC.BAT") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntuser.dat") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="desktop.ini") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="CONFIG.SYS") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="RECYCLER") returned -1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="BOOTSECT.BAK") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="programdata") returned -1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="appdata") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files") returned -1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files (x86)") returned -1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="microsoft") returned 1 [0299.110] lstrcmpiW (lpString1="NXQuery.sys", lpString2="sophos") returned -1 [0299.110] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0299.110] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.110] PathFindExtensionW (pszPath="NXQuery.sys") returned=".sys" [0299.110] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0299.110] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0299.110] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0299.111] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0299.111] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0299.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0299.111] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0299.111] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=20144) returned 1 [0299.111] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0299.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0299.112] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0299.112] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0299.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0299.112] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22bd0 [0299.112] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0299.112] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22bd0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22bd0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0299.114] GetTickCount () returned 0x118ace7 [0299.114] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de970 [0299.114] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de970 | out: hHeap=0x28d0000) returned 1 [0299.114] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.114] SetLastError (dwErrCode=0x0) [0299.114] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.216] GetLastError () returned 0x0 [0299.216] GetLastError () returned 0x0 [0299.216] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.217] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22bd0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.217] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x50b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.217] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd8a9a12a, dwHighDateTime=0x1d5fd73)) [0299.217] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0299.217] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0299.217] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0299.217] GetProcessHeap () returned 0xa10000 [0299.217] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x4eb0) returned 0xa3e6a0 [0299.219] GetSystemDefaultLangID () returned 0xa20409 [0299.219] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.219] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x4eb0, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x4eb0, lpOverlapped=0x0) returned 1 [0299.365] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.365] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x4eb0, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x4eb0, lpOverlapped=0x0) returned 1 [0299.365] GetProcessHeap () returned 0xa10000 [0299.365] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0299.365] CloseHandle (hObject=0x26c) returned 1 [0299.365] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0299.365] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22bd0 | out: hHeap=0x28d0000) returned 1 [0299.365] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0299.365] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0299.365] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0299.366] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.sys"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.sys.nefilim")) returned 1 [0299.366] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0299.366] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.366] FindNextFileW (in: hFindFile=0xa2f6a0, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0299.366] FindClose (in: hFindFile=0xa2f6a0 | out: hFindFile=0xa2f6a0) returned 1 [0299.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0299.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de778 | out: hHeap=0x28d0000) returned 1 [0299.367] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28d12c0 | out: hHeap=0x28d0000) returned 1 [0299.367] FindNextFileW (in: hFindFile=0xa2f720, lpFindFileData=0x26ef078 | out: lpFindFileData=0x26ef078*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2=".") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="..") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="...") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="windows") returned -1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="$RECYCLE.BIN") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="rsa") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="NTDETECT.COM") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="ntldr") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="MSDOS.SYS") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="IO.SYS") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="boot.ini") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="AUTOEXEC.BAT") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="ntuser.dat") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="desktop.ini") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="CONFIG.SYS") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="RECYCLER") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="BOOTSECT.BAK") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="bootmgr") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="programdata") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="appdata") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="program files") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="program files (x86)") returned 1 [0299.367] lstrcmpiW (lpString1="ux", lpString2="microsoft") returned 1 [0299.368] lstrcmpiW (lpString1="ux", lpString2="sophos") returned 1 [0299.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28d12c0 [0299.368] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de720 | out: hHeap=0x28d0000) returned 1 [0299.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de720 [0299.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28de778 [0299.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0299.368] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\*.*", lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xa2f560 [0299.385] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0299.385] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0299.385] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0299.385] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0299.385] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b4fa7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b4fa7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x397, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="block.png", cAlternateFileName="")) returned 1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2=".") returned 1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="..") returned 1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="...") returned 1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="windows") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="$RECYCLE.BIN") returned 1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="rsa") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="NTDETECT.COM") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="ntldr") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="MSDOS.SYS") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="IO.SYS") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="boot.ini") returned -1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="AUTOEXEC.BAT") returned 1 [0299.385] lstrcmpiW (lpString1="block.png", lpString2="ntuser.dat") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="desktop.ini") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="CONFIG.SYS") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="RECYCLER") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="BOOTSECT.BAK") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="bootmgr") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="programdata") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="appdata") returned 1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="program files") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="program files (x86)") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="microsoft") returned -1 [0299.386] lstrcmpiW (lpString1="block.png", lpString2="sophos") returned -1 [0299.386] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd18 [0299.386] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.386] PathFindExtensionW (pszPath="block.png") returned=".png" [0299.386] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0299.386] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0299.387] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0299.387] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0299.387] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0299.387] lstrcmpiW (lpString1="block.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0299.387] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd80 [0299.387] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0299.387] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=919) returned 1 [0299.387] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0299.387] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0299.388] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0299.388] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0299.388] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d229c0 [0299.388] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d227b0 [0299.388] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d229c0*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d229c0*, pdwDataLen=0x26eec08*=0x100) returned 1 [0299.388] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d227b0*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d227b0*, pdwDataLen=0x26eec04*=0x100) returned 1 [0299.388] GetTickCount () returned 0x118adf1 [0299.388] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb68 [0299.388] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb68 | out: hHeap=0x28d0000) returned 1 [0299.388] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x397, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.388] SetLastError (dwErrCode=0x0) [0299.388] WriteFile (in: hFile=0x26c, lpBuffer=0x2d229c0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d229c0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.467] GetLastError () returned 0x0 [0299.467] GetLastError () returned 0x0 [0299.467] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x497, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.467] WriteFile (in: hFile=0x26c, lpBuffer=0x2d227b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d227b0*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.467] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x597, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd8cfc76f, dwHighDateTime=0x1d5fd73)) [0299.467] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0299.467] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.467] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0299.467] GetProcessHeap () returned 0xa10000 [0299.467] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x397) returned 0xa34b88 [0299.467] GetSystemDefaultLangID () returned 0xa20409 [0299.467] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.467] ReadFile (in: hFile=0x26c, lpBuffer=0xa34b88, nNumberOfBytesToRead=0x397, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesRead=0x26eec6c*=0x397, lpOverlapped=0x0) returned 1 [0299.468] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.468] WriteFile (in: hFile=0x26c, lpBuffer=0xa34b88*, nNumberOfBytesToWrite=0x397, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa34b88*, lpNumberOfBytesWritten=0x26eec60*=0x397, lpOverlapped=0x0) returned 1 [0299.848] GetProcessHeap () returned 0xa10000 [0299.848] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa34b88 | out: hHeap=0xa10000) returned 1 [0299.848] CloseHandle (hObject=0x26c) returned 1 [0299.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d229c0 | out: hHeap=0x28d0000) returned 1 [0299.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d227b0 | out: hHeap=0x28d0000) returned 1 [0299.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0299.867] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0299.867] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbde8 [0299.868] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png.nefilim")) returned 1 [0299.869] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde8 | out: hHeap=0x28d0000) returned 1 [0299.869] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0299.869] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b8a24, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b8a24, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x1ba8, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="bluelogo.png", cAlternateFileName="")) returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2=".") returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="..") returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="...") returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="windows") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="$RECYCLE.BIN") returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="rsa") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="NTDETECT.COM") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="ntldr") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="MSDOS.SYS") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="IO.SYS") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="boot.ini") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="AUTOEXEC.BAT") returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="ntuser.dat") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="desktop.ini") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="CONFIG.SYS") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="RECYCLER") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="BOOTSECT.BAK") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="bootmgr") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="programdata") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="appdata") returned 1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="program files") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="program files (x86)") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="microsoft") returned -1 [0299.869] lstrcmpiW (lpString1="bluelogo.png", lpString2="sophos") returned -1 [0299.869] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd80 [0299.869] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd18 | out: hHeap=0x28d0000) returned 1 [0299.869] PathFindExtensionW (pszPath="bluelogo.png") returned=".png" [0299.870] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0299.870] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0299.870] lstrcmpiW (lpString1="bluelogo.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0299.870] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0299.870] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0299.871] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=7080) returned 1 [0299.871] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0299.871] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0299.871] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0299.872] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0299.872] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d226a8 [0299.872] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23e60 [0299.872] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d226a8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d226a8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0299.872] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23e60*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23e60*, pdwDataLen=0x26eec04*=0x100) returned 1 [0299.874] GetTickCount () returned 0x118afd5 [0299.874] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28dea50 [0299.874] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dea50 | out: hHeap=0x28d0000) returned 1 [0299.874] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1ba8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.874] SetLastError (dwErrCode=0x0) [0299.874] WriteFile (in: hFile=0x26c, lpBuffer=0x2d226a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d226a8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.919] GetLastError () returned 0x0 [0299.919] GetLastError () returned 0x0 [0299.919] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1ca8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.919] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23e60*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0299.919] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1da8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.920] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd914eb2c, dwHighDateTime=0x1d5fd73)) [0299.920] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd28 [0299.920] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0299.920] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0299.920] GetProcessHeap () returned 0xa10000 [0299.920] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1ba8) returned 0xa3e6a0 [0299.921] GetSystemDefaultLangID () returned 0xa20409 [0299.921] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.922] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1ba8, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1ba8, lpOverlapped=0x0) returned 1 [0299.997] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0299.997] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1ba8, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1ba8, lpOverlapped=0x0) returned 1 [0299.998] GetProcessHeap () returned 0xa10000 [0299.998] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0299.998] CloseHandle (hObject=0x26c) returned 1 [0299.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d226a8 | out: hHeap=0x28d0000) returned 1 [0299.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23e60 | out: hHeap=0x28d0000) returned 1 [0299.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0299.998] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0299.998] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbde8 [0299.998] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png.nefilim")) returned 1 [0299.999] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbde8 | out: hHeap=0x28d0000) returned 1 [0299.999] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0299.999] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b9dbd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b9dbd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="bullet.png", cAlternateFileName="")) returned 1 [0299.999] lstrcmpiW (lpString1="bullet.png", lpString2=".") returned 1 [0299.999] lstrcmpiW (lpString1="bullet.png", lpString2="..") returned 1 [0299.999] lstrcmpiW (lpString1="bullet.png", lpString2="...") returned 1 [0299.999] lstrcmpiW (lpString1="bullet.png", lpString2="windows") returned -1 [0299.999] lstrcmpiW (lpString1="bullet.png", lpString2="$RECYCLE.BIN") returned 1 [0299.999] lstrcmpiW (lpString1="bullet.png", lpString2="rsa") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="NTDETECT.COM") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="ntldr") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="MSDOS.SYS") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="IO.SYS") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="boot.ini") returned 1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="AUTOEXEC.BAT") returned 1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="ntuser.dat") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="desktop.ini") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="CONFIG.SYS") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="RECYCLER") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="BOOTSECT.BAK") returned 1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="bootmgr") returned 1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="programdata") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="appdata") returned 1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="program files") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="program files (x86)") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="microsoft") returned -1 [0300.000] lstrcmpiW (lpString1="bullet.png", lpString2="sophos") returned -1 [0300.000] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0300.000] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd80 | out: hHeap=0x28d0000) returned 1 [0300.000] PathFindExtensionW (pszPath="bullet.png") returned=".png" [0300.000] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0300.000] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0300.000] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0300.000] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0300.000] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0300.000] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0300.000] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0300.001] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0300.001] lstrcmpiW (lpString1="bullet.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0300.001] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0300.001] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0300.002] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=221) returned 1 [0300.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0300.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0300.002] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0300.002] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0300.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23c50 [0300.002] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23a40 [0300.002] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23c50*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23c50*, pdwDataLen=0x26eec08*=0x100) returned 1 [0300.004] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23a40*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23a40*, pdwDataLen=0x26eec04*=0x100) returned 1 [0300.006] GetTickCount () returned 0x118b062 [0300.006] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deaf8 [0300.007] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deaf8 | out: hHeap=0x28d0000) returned 1 [0300.007] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xdd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.007] SetLastError (dwErrCode=0x0) [0300.007] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23c50*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0300.013] GetLastError () returned 0x0 [0300.013] GetLastError () returned 0x0 [0300.013] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.013] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23a40*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0300.167] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.167] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd93b103b, dwHighDateTime=0x1d5fd73)) [0300.167] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0300.168] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0300.168] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0300.168] GetProcessHeap () returned 0xa10000 [0300.168] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xdd) returned 0xa21e08 [0300.168] GetSystemDefaultLangID () returned 0xa20409 [0300.168] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.168] ReadFile (in: hFile=0x26c, lpBuffer=0xa21e08, nNumberOfBytesToRead=0xdd, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa21e08*, lpNumberOfBytesRead=0x26eec6c*=0xdd, lpOverlapped=0x0) returned 1 [0300.168] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.168] WriteFile (in: hFile=0x26c, lpBuffer=0xa21e08*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa21e08*, lpNumberOfBytesWritten=0x26eec60*=0xdd, lpOverlapped=0x0) returned 1 [0300.168] GetProcessHeap () returned 0xa10000 [0300.168] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa21e08 | out: hHeap=0xa10000) returned 1 [0300.168] CloseHandle (hObject=0x26c) returned 1 [0300.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23c50 | out: hHeap=0x28d0000) returned 1 [0300.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23a40 | out: hHeap=0x28d0000) returned 1 [0300.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0300.169] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0300.169] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0300.169] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png.nefilim")) returned 1 [0300.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0300.274] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0300.274] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bb141, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bb141, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1687, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="default.css", cAlternateFileName="")) returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2=".") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="..") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="...") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="windows") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="$RECYCLE.BIN") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="rsa") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="NTDETECT.COM") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="ntldr") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="MSDOS.SYS") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="IO.SYS") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="boot.ini") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="AUTOEXEC.BAT") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="ntuser.dat") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="desktop.ini") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="CONFIG.SYS") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="RECYCLER") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="BOOTSECT.BAK") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="bootmgr") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="programdata") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="appdata") returned 1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="program files") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="program files (x86)") returned -1 [0300.274] lstrcmpiW (lpString1="default.css", lpString2="microsoft") returned -1 [0300.275] lstrcmpiW (lpString1="default.css", lpString2="sophos") returned -1 [0300.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0300.275] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0300.275] PathFindExtensionW (pszPath="default.css") returned=".css" [0300.275] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0300.275] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0300.275] lstrcmpiW (lpString1="default.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0300.275] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0300.275] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0300.276] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=5767) returned 1 [0300.276] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0300.276] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0300.276] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0300.276] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0300.276] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23938 [0300.276] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23410 [0300.276] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23938*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23938*, pdwDataLen=0x26eec08*=0x100) returned 1 [0300.277] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23410*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23410*, pdwDataLen=0x26eec04*=0x100) returned 1 [0300.277] GetTickCount () returned 0x118b16c [0300.277] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de8c8 [0300.277] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de8c8 | out: hHeap=0x28d0000) returned 1 [0300.277] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1687, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.277] SetLastError (dwErrCode=0x0) [0300.278] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23938*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23938*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0300.350] GetLastError () returned 0x0 [0300.350] GetLastError () returned 0x0 [0300.350] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1787, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.350] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23410*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0300.350] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1887, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.351] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd957ac92, dwHighDateTime=0x1d5fd73)) [0300.351] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0300.351] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0300.351] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0300.351] GetProcessHeap () returned 0xa10000 [0300.351] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1687) returned 0xa3e6a0 [0300.351] GetSystemDefaultLangID () returned 0xa20409 [0300.351] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.351] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1687, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1687, lpOverlapped=0x0) returned 1 [0300.436] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.436] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1687, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1687, lpOverlapped=0x0) returned 1 [0300.436] GetProcessHeap () returned 0xa10000 [0300.437] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0300.437] CloseHandle (hObject=0x26c) returned 1 [0300.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23938 | out: hHeap=0x28d0000) returned 1 [0300.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23410 | out: hHeap=0x28d0000) returned 1 [0300.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0300.437] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0300.437] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0300.437] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css.nefilim")) returned 1 [0300.438] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0300.438] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0300.438] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bc4cd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bc4cd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf44d, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="default.htm", cAlternateFileName="")) returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2=".") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="..") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="...") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="windows") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="$RECYCLE.BIN") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="rsa") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="NTDETECT.COM") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="ntldr") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="MSDOS.SYS") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="IO.SYS") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="boot.ini") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="AUTOEXEC.BAT") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="ntuser.dat") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="desktop.ini") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="CONFIG.SYS") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="RECYCLER") returned -1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="BOOTSECT.BAK") returned 1 [0300.438] lstrcmpiW (lpString1="default.htm", lpString2="bootmgr") returned 1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="programdata") returned -1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="appdata") returned 1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="program files") returned -1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="program files (x86)") returned -1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="microsoft") returned -1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="sophos") returned -1 [0300.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbcc0 [0300.439] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0300.439] PathFindExtensionW (pszPath="default.htm") returned=".htm" [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0300.439] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0300.439] lstrcmpiW (lpString1="default.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0300.439] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbd28 [0300.440] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0300.440] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=62541) returned 1 [0300.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0300.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0300.440] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0300.440] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0300.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0300.440] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23200 [0300.440] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0300.441] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23200*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23200*, pdwDataLen=0x26eec04*=0x100) returned 1 [0300.442] GetTickCount () returned 0x118b217 [0300.442] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9a8 [0300.442] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9a8 | out: hHeap=0x28d0000) returned 1 [0300.442] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf44d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.442] SetLastError (dwErrCode=0x0) [0300.442] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0300.531] GetLastError () returned 0x0 [0300.531] GetLastError () returned 0x0 [0300.531] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf54d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.531] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23200*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0300.531] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf64d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xd971fef2, dwHighDateTime=0x1d5fd73)) [0300.531] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd90 [0300.531] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0300.531] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0300.531] GetProcessHeap () returned 0xa10000 [0300.531] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xf44d) returned 0xa3e6a0 [0300.531] GetSystemDefaultLangID () returned 0xa20409 [0300.531] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0300.531] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xf44d, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xf44d, lpOverlapped=0x0) returned 1 [0301.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.138] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xf44d, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xf44d, lpOverlapped=0x0) returned 1 [0301.139] GetProcessHeap () returned 0xa10000 [0301.139] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0301.139] CloseHandle (hObject=0x26c) returned 1 [0301.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0301.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23200 | out: hHeap=0x28d0000) returned 1 [0301.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0301.139] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0301.139] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd90 [0301.139] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm.nefilim")) returned 1 [0301.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd90 | out: hHeap=0x28d0000) returned 1 [0301.140] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0301.140] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bd859, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bd859, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x13e24500, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="default_eos.css", cAlternateFileName="DEFAUL~1.CSS")) returned 1 [0301.140] lstrcmpiW (lpString1="default_eos.css", lpString2=".") returned 1 [0301.140] lstrcmpiW (lpString1="default_eos.css", lpString2="..") returned 1 [0301.140] lstrcmpiW (lpString1="default_eos.css", lpString2="...") returned 1 [0301.140] lstrcmpiW (lpString1="default_eos.css", lpString2="windows") returned -1 [0301.140] lstrcmpiW (lpString1="default_eos.css", lpString2="$RECYCLE.BIN") returned 1 [0301.140] lstrcmpiW (lpString1="default_eos.css", lpString2="rsa") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="NTDETECT.COM") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="ntldr") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="MSDOS.SYS") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="IO.SYS") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="boot.ini") returned 1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="AUTOEXEC.BAT") returned 1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="ntuser.dat") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="desktop.ini") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="CONFIG.SYS") returned 1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="RECYCLER") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="BOOTSECT.BAK") returned 1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="bootmgr") returned 1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="programdata") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="appdata") returned 1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="program files") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="program files (x86)") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="microsoft") returned -1 [0301.141] lstrcmpiW (lpString1="default_eos.css", lpString2="sophos") returned -1 [0301.141] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd28 [0301.141] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0301.141] PathFindExtensionW (pszPath="default_eos.css") returned=".css" [0301.141] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0301.141] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0301.141] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0301.141] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0301.141] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0301.141] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0301.142] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0301.142] lstrcmpiW (lpString1="default_eos.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0301.142] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0301.142] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0301.464] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=6700) returned 1 [0301.464] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0301.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0301.465] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0301.465] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0301.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23620 [0301.465] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0301.465] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23620*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23620*, pdwDataLen=0x26eec08*=0x100) returned 1 [0301.466] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26eec04*=0x100) returned 1 [0301.468] GetTickCount () returned 0x118b60f [0301.468] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deba0 [0301.468] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deba0 | out: hHeap=0x28d0000) returned 1 [0301.468] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1a2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.468] SetLastError (dwErrCode=0x0) [0301.468] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23620*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.666] GetLastError () returned 0x0 [0301.666] GetLastError () returned 0x0 [0301.666] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1b2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.666] WriteFile (in: hFile=0x26c, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.667] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1c2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.667] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xda1ff189, dwHighDateTime=0x1d5fd73)) [0301.667] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbcc0 [0301.667] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0301.667] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0301.667] GetProcessHeap () returned 0xa10000 [0301.667] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1a2c) returned 0xa3e6a0 [0301.667] GetSystemDefaultLangID () returned 0xa20409 [0301.667] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.667] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1a2c, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1a2c, lpOverlapped=0x0) returned 1 [0301.691] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.691] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1a2c, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1a2c, lpOverlapped=0x0) returned 1 [0301.692] GetProcessHeap () returned 0xa10000 [0301.692] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0301.692] CloseHandle (hObject=0x26c) returned 1 [0301.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23620 | out: hHeap=0x28d0000) returned 1 [0301.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0301.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0301.692] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0301.692] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe18 [0301.692] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css.nefilim")) returned 1 [0301.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0301.693] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0301.693] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bff6c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bff6c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea75e900, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0xda3a, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="default_eos.htm", cAlternateFileName="DEFAUL~1.HTM")) returned 1 [0301.693] lstrcmpiW (lpString1="default_eos.htm", lpString2=".") returned 1 [0301.693] lstrcmpiW (lpString1="default_eos.htm", lpString2="..") returned 1 [0301.693] lstrcmpiW (lpString1="default_eos.htm", lpString2="...") returned 1 [0301.693] lstrcmpiW (lpString1="default_eos.htm", lpString2="windows") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="$RECYCLE.BIN") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="rsa") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="NTDETECT.COM") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="ntldr") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="MSDOS.SYS") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="IO.SYS") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="boot.ini") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="AUTOEXEC.BAT") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="ntuser.dat") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="desktop.ini") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="CONFIG.SYS") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="RECYCLER") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="BOOTSECT.BAK") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="bootmgr") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="programdata") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="appdata") returned 1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="program files") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="program files (x86)") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="microsoft") returned -1 [0301.694] lstrcmpiW (lpString1="default_eos.htm", lpString2="sophos") returned -1 [0301.694] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbda0 [0301.694] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd28 | out: hHeap=0x28d0000) returned 1 [0301.694] PathFindExtensionW (pszPath="default_eos.htm") returned=".htm" [0301.694] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0301.694] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0301.695] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0301.695] lstrcmpiW (lpString1="default_eos.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0301.695] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0301.695] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0301.696] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=55866) returned 1 [0301.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0301.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0301.696] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0301.696] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0301.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22cd8 [0301.696] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d22180 [0301.696] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22cd8*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d22cd8*, pdwDataLen=0x26eec08*=0x100) returned 1 [0301.696] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d22180*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d22180*, pdwDataLen=0x26eec04*=0x100) returned 1 [0301.697] GetTickCount () returned 0x118b6f9 [0301.697] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28deb30 [0301.697] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28deb30 | out: hHeap=0x28d0000) returned 1 [0301.697] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xda3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.697] SetLastError (dwErrCode=0x0) [0301.697] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22cd8*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.701] GetLastError () returned 0x0 [0301.701] GetLastError () returned 0x0 [0301.701] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xdb3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.701] WriteFile (in: hFile=0x26c, lpBuffer=0x2d22180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d22180*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.701] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xdc3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.701] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xda24b642, dwHighDateTime=0x1d5fd73)) [0301.701] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbd38 [0301.701] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0301.701] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0301.702] GetProcessHeap () returned 0xa10000 [0301.702] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0xda3a) returned 0xa3e6a0 [0301.702] GetSystemDefaultLangID () returned 0xa20409 [0301.702] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.702] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0xda3a, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0xda3a, lpOverlapped=0x0) returned 1 [0301.707] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.707] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0xda3a, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0xda3a, lpOverlapped=0x0) returned 1 [0301.707] GetProcessHeap () returned 0xa10000 [0301.707] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0301.707] CloseHandle (hObject=0x26c) returned 1 [0301.707] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22cd8 | out: hHeap=0x28d0000) returned 1 [0301.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d22180 | out: hHeap=0x28d0000) returned 1 [0301.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0301.708] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0301.708] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbe18 [0301.708] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm.nefilim")) returned 1 [0301.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbe18 | out: hHeap=0x28d0000) returned 1 [0301.709] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0301.709] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c12fc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c12fc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1468, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="default_oobe.css", cAlternateFileName="DEFAUL~2.CSS")) returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2=".") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="..") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="...") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="windows") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="$RECYCLE.BIN") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="rsa") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="NTDETECT.COM") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="ntldr") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="MSDOS.SYS") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="IO.SYS") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="boot.ini") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="AUTOEXEC.BAT") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="ntuser.dat") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="desktop.ini") returned -1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="CONFIG.SYS") returned 1 [0301.709] lstrcmpiW (lpString1="default_oobe.css", lpString2="RECYCLER") returned -1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="BOOTSECT.BAK") returned 1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="bootmgr") returned 1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="programdata") returned -1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="appdata") returned 1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="program files") returned -1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="program files (x86)") returned -1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="microsoft") returned -1 [0301.710] lstrcmpiW (lpString1="default_oobe.css", lpString2="sophos") returned -1 [0301.710] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0301.710] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbda0 | out: hHeap=0x28d0000) returned 1 [0301.710] PathFindExtensionW (pszPath="default_oobe.css") returned=".css" [0301.710] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0301.710] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0301.711] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0301.711] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0301.711] lstrcmpiW (lpString1="default_oobe.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0301.711] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd38 [0301.711] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0301.711] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=5224) returned 1 [0301.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0301.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0301.712] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0301.712] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0301.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23938 [0301.712] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23410 [0301.712] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23938*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23938*, pdwDataLen=0x26eec08*=0x100) returned 1 [0301.713] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23410*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23410*, pdwDataLen=0x26eec04*=0x100) returned 1 [0301.715] GetTickCount () returned 0x118b709 [0301.715] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de858 [0301.715] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de858 | out: hHeap=0x28d0000) returned 1 [0301.715] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1468, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.715] SetLastError (dwErrCode=0x0) [0301.715] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23938*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23938*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.742] GetLastError () returned 0x0 [0301.742] GetLastError () returned 0x0 [0301.742] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1568, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.742] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23410*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.742] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1668, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.742] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xda2bde13, dwHighDateTime=0x1d5fd73)) [0301.742] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdb0 [0301.742] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0301.742] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0301.742] GetProcessHeap () returned 0xa10000 [0301.742] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1468) returned 0xa3e6a0 [0301.742] GetSystemDefaultLangID () returned 0xa20409 [0301.742] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.743] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x1468, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x1468, lpOverlapped=0x0) returned 1 [0301.744] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.744] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x1468, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x1468, lpOverlapped=0x0) returned 1 [0301.744] GetProcessHeap () returned 0xa10000 [0301.745] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0301.745] CloseHandle (hObject=0x26c) returned 1 [0301.745] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23938 | out: hHeap=0x28d0000) returned 1 [0301.745] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23410 | out: hHeap=0x28d0000) returned 1 [0301.745] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0301.745] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0301.745] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdb0 [0301.745] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css.nefilim")) returned 1 [0301.746] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0301.746] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0301.746] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c2685, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c2685, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7f589b00, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x100ae, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="default_oobe.htm", cAlternateFileName="DEFAUL~2.HTM")) returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2=".") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="..") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="...") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="windows") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="$RECYCLE.BIN") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="rsa") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="NTDETECT.COM") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="ntldr") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="MSDOS.SYS") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="IO.SYS") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="boot.ini") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="AUTOEXEC.BAT") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="ntuser.dat") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="desktop.ini") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="CONFIG.SYS") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="RECYCLER") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="BOOTSECT.BAK") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="bootmgr") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="programdata") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="appdata") returned 1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="program files") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="program files (x86)") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="microsoft") returned -1 [0301.746] lstrcmpiW (lpString1="default_oobe.htm", lpString2="sophos") returned -1 [0301.746] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbd38 [0301.746] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0301.747] PathFindExtensionW (pszPath="default_oobe.htm") returned=".htm" [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0301.747] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0301.747] lstrcmpiW (lpString1="default_oobe.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0301.747] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbcc0 [0301.747] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0301.748] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x26eec48 | out: lpFileSize=0x26eec48*=65710) returned 1 [0301.748] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0301.748] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0301.748] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0301.748] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0301.748] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23830 [0301.748] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23a40 [0301.748] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23830*, pdwDataLen=0x26eec08*=0x10, dwBufLen=0x100 | out: pbData=0x2d23830*, pdwDataLen=0x26eec08*=0x100) returned 1 [0301.748] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23a40*, pdwDataLen=0x26eec04*=0x10, dwBufLen=0x100 | out: pbData=0x2d23a40*, pdwDataLen=0x26eec04*=0x100) returned 1 [0301.749] GetTickCount () returned 0x118b728 [0301.749] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de9e0 [0301.749] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de9e0 | out: hHeap=0x28d0000) returned 1 [0301.749] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x100ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.749] SetLastError (dwErrCode=0x0) [0301.749] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23830*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.776] GetLastError () returned 0x0 [0301.776] GetLastError () returned 0x0 [0301.776] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x101ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.776] WriteFile (in: hFile=0x26c, lpBuffer=0x2d23a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x2d23a40*, lpNumberOfBytesWritten=0x26eec60*=0x100, lpOverlapped=0x0) returned 1 [0301.776] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x102ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.776] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26eec1c | out: lpSystemTimeAsFileTime=0x26eec1c*(dwLowDateTime=0xda30a2a9, dwHighDateTime=0x1d5fd73)) [0301.776] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbdb0 [0301.776] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0301.777] WriteFile (in: hFile=0x26c, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26eec60*=0x7, lpOverlapped=0x0) returned 1 [0301.777] GetProcessHeap () returned 0xa10000 [0301.777] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x100ae) returned 0xa3e6a0 [0301.777] GetSystemDefaultLangID () returned 0xa20409 [0301.777] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.777] ReadFile (in: hFile=0x26c, lpBuffer=0xa3e6a0, nNumberOfBytesToRead=0x100ae, lpNumberOfBytesRead=0x26eec6c, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesRead=0x26eec6c*=0x100ae, lpOverlapped=0x0) returned 1 [0301.830] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0301.830] WriteFile (in: hFile=0x26c, lpBuffer=0xa3e6a0*, nNumberOfBytesToWrite=0x100ae, lpNumberOfBytesWritten=0x26eec60, lpOverlapped=0x0 | out: lpBuffer=0xa3e6a0*, lpNumberOfBytesWritten=0x26eec60*=0x100ae, lpOverlapped=0x0) returned 1 [0301.830] GetProcessHeap () returned 0xa10000 [0301.830] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3e6a0 | out: hHeap=0xa10000) returned 1 [0301.830] CloseHandle (hObject=0x26c) returned 1 [0301.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23830 | out: hHeap=0x28d0000) returned 1 [0301.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23a40 | out: hHeap=0x28d0000) returned 1 [0301.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0301.831] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0301.831] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dbdb0 [0301.831] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm.nefilim")) returned 1 [0301.832] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdb0 | out: hHeap=0x28d0000) returned 1 [0301.832] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbcc0 | out: hHeap=0x28d0000) returned 1 [0301.832] FindNextFileW (in: hFindFile=0xa2f560, lpFindFileData=0x26eed58 | out: lpFindFileData=0x26eed58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x2000000, cFileName="EULA", cAlternateFileName="")) returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2=".") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="..") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="...") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="windows") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="$RECYCLE.BIN") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="rsa") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="NTDETECT.COM") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="ntldr") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="MSDOS.SYS") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="IO.SYS") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="boot.ini") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="AUTOEXEC.BAT") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="ntuser.dat") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="desktop.ini") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="CONFIG.SYS") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="RECYCLER") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="BOOTSECT.BAK") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="bootmgr") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="programdata") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="appdata") returned 1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="program files") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="program files (x86)") returned -1 [0301.832] lstrcmpiW (lpString1="EULA", lpString2="microsoft") returned -1 [0301.833] lstrcmpiW (lpString1="EULA", lpString2="sophos") returned -1 [0301.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbcc0 [0301.833] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbd38 | out: hHeap=0x28d0000) returned 1 [0301.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd18 [0301.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x50) returned 0x28dbd70 [0301.833] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x60) returned 0x28dbdc8 [0301.833] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\*.*", lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xa2f920 [0302.170] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0302.189] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28dbcc0, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0302.290] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0302.290] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0302.290] FindNextFileW (in: hFindFile=0xa2f920, lpFindFileData=0x26eea38 | out: lpFindFileData=0x26eea38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c6124, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c6124, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1af6d, dwReserved0=0x28dbcc0, dwReserved1=0x3000000, cFileName="EULA_ar-sa.htm", cAlternateFileName="EULA_A~1.HTM")) returned 1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2=".") returned 1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="..") returned 1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="...") returned 1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="windows") returned -1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="$RECYCLE.BIN") returned 1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="rsa") returned -1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="NTDETECT.COM") returned -1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="ntldr") returned -1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="MSDOS.SYS") returned -1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="IO.SYS") returned -1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="boot.ini") returned 1 [0302.290] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="AUTOEXEC.BAT") returned 1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="ntuser.dat") returned -1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="desktop.ini") returned 1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="CONFIG.SYS") returned 1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="RECYCLER") returned -1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="BOOTSECT.BAK") returned 1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="bootmgr") returned 1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="programdata") returned -1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="appdata") returned 1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="program files") returned -1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="program files (x86)") returned -1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="microsoft") returned -1 [0302.291] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="sophos") returned -1 [0302.308] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dbe30 [0302.326] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbdc8 | out: hHeap=0x28d0000) returned 1 [0302.328] PathFindExtensionW (pszPath="EULA_ar-sa.htm") returned=".htm" [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0302.328] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0302.328] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0302.328] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x70) returned 0x28dec00 [0302.362] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0302.364] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x26ee928 | out: lpFileSize=0x26ee928*=110445) returned 1 [0302.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de2b8 [0302.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x10) returned 0x28de300 [0302.364] SystemFunction036 (in: RandomBuffer=0x28de2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x28de2b8) returned 1 [0302.364] SystemFunction036 (in: RandomBuffer=0x28de300, RandomBufferLength=0x10 | out: RandomBuffer=0x28de300) returned 1 [0302.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d23518 [0302.364] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x100) returned 0x2d230f8 [0302.364] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d23518*, pdwDataLen=0x26ee8e8*=0x10, dwBufLen=0x100 | out: pbData=0x2d23518*, pdwDataLen=0x26ee8e8*=0x100) returned 1 [0302.366] CryptEncrypt (in: hKey=0xa2f4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d230f8*, pdwDataLen=0x26ee8e4*=0x10, dwBufLen=0x100 | out: pbData=0x2d230f8*, pdwDataLen=0x26ee8e4*=0x100) returned 1 [0302.368] GetTickCount () returned 0x118b999 [0302.368] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x30) returned 0x28de938 [0302.369] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de938 | out: hHeap=0x28d0000) returned 1 [0302.369] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1af6d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0302.384] SetLastError (dwErrCode=0x0) [0302.384] WriteFile (in: hFile=0x270, lpBuffer=0x2d23518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d23518*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0302.462] GetLastError () returned 0x0 [0302.478] GetLastError () returned 0x0 [0302.478] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1b06d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0302.494] WriteFile (in: hFile=0x270, lpBuffer=0x2d230f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x2d230f8*, lpNumberOfBytesWritten=0x26ee940*=0x100, lpOverlapped=0x0) returned 1 [0302.495] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1b16d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0302.541] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ee8fc | out: lpSystemTimeAsFileTime=0x26ee8fc*(dwLowDateTime=0xdaa651e4, dwHighDateTime=0x1d5fd73)) [0302.541] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x40) returned 0x28dbea8 [0302.541] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28dbea8 | out: hHeap=0x28d0000) returned 1 [0302.541] WriteFile (in: hFile=0x270, lpBuffer=0x28d1fc0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0x28d1fc0*, lpNumberOfBytesWritten=0x26ee940*=0x7, lpOverlapped=0x0) returned 1 [0302.541] GetProcessHeap () returned 0xa10000 [0302.541] RtlAllocateHeap (HeapHandle=0xa10000, Flags=0x0, Size=0x1af6d) returned 0xa3f6a8 [0302.541] GetSystemDefaultLangID () returned 0xa20409 [0302.541] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0302.542] ReadFile (in: hFile=0x270, lpBuffer=0xa3f6a8, nNumberOfBytesToRead=0x1af6d, lpNumberOfBytesRead=0x26ee94c, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesRead=0x26ee94c*=0x1af6d, lpOverlapped=0x0) returned 1 [0302.618] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0302.703] WriteFile (in: hFile=0x270, lpBuffer=0xa3f6a8*, nNumberOfBytesToWrite=0x1af6d, lpNumberOfBytesWritten=0x26ee940, lpOverlapped=0x0 | out: lpBuffer=0xa3f6a8*, lpNumberOfBytesWritten=0x26ee940*=0x1af6d, lpOverlapped=0x0) returned 1 [0302.950] GetProcessHeap () returned 0xa10000 [0302.983] HeapFree (in: hHeap=0xa10000, dwFlags=0x0, lpMem=0xa3f6a8 | out: hHeap=0xa10000) returned 1 [0302.983] CloseHandle (hObject=0x270) returned 1 [0302.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d23518 | out: hHeap=0x28d0000) returned 1 [0302.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x2d230f8 | out: hHeap=0x28d0000) returned 1 [0302.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de2b8 | out: hHeap=0x28d0000) returned 1 [0302.984] HeapFree (in: hHeap=0x28d0000, dwFlags=0x0, lpMem=0x28de300 | out: hHeap=0x28d0000) returned 1 [0302.984] RtlAllocateHeap (HeapHandle=0x28d0000, Flags=0x0, Size=0x80) returned 0x28dec78 Thread: id = 5 os_tid = 0xd78 Thread: id = 6 os_tid = 0xd80